HTTP Method Override Enabled
| Severity | Info - High |
|---|---|
| CVEs | |
| Classifications | CWE-287: Improper Authentication |
| OWASP Category | OWASP API8:2023 Security Misconfiguration |
HTTP Method Override is a feature that allows clients to override the default HTTP method used in a request. This feature is commonly used to perform actions on the server using HTTP methods other than GET and POST, such as PUT, DELETE, PATCH, etc. The HTTP Method Override feature is typically implemented using custom headers or query parameters that specify the desired HTTP method to be used.
This feature can be exploited by attackers to bypass security controls and perform unauthorized actions on the server.
What is the impact?
Section titled “What is the impact?”Attackers can exploit this feature to bypass security controls and perform unauthorized actions on the server. Some of the common attacks that can be performed using HTTP Method Override include:
- CSRF attacks
- Bypassing authentication
- Bypassing access controls
How to test?
Section titled “How to test?”If you want to test only the “HTTP Method Allow Override Enabled” issues, you can use the following command:
vulnapi scan curl [url] --scans misconfiguration.http_method_overridevulnapi scan openapi [OpenAPI_Path_Or_URL] --scans misconfiguration.http_method_overridevulnapi scan graphql --scans misconfiguration.http_method_override [url]How to remediate?
Section titled “How to remediate?”To remediate this issue, you should disable the HTTP Method Override feature on the API or intermediate proxy. You can do this by configuring the server to only accept the expected HTTP methods (GET, POST, PUT, DELETE, etc.) and reject any other methods that are not explicitly allowed.
If you can not disable the HTTP Method Override behavior, ensure you implement proper access controls and validation checks to prevent unauthorized actions and that controls are not impacted by the method overriden. To do so, the usual way is to perform the checks before the method override is applied.