Skip to content

HTTP Method Override Enabled

SeverityInfo - High
CVEs
ClassificationsCWE-287: Improper Authentication
OWASP CategoryOWASP API8:2023 Security Misconfiguration

HTTP Method Override is a feature that allows clients to override the default HTTP method used in a request. This feature is commonly used to perform actions on the server using HTTP methods other than GET and POST, such as PUT, DELETE, PATCH, etc. The HTTP Method Override feature is typically implemented using custom headers or query parameters that specify the desired HTTP method to be used.

This feature can be exploited by attackers to bypass security controls and perform unauthorized actions on the server.

Attackers can exploit this feature to bypass security controls and perform unauthorized actions on the server. Some of the common attacks that can be performed using HTTP Method Override include:

  • CSRF attacks
  • Bypassing authentication
  • Bypassing access controls

If you want to test only the “HTTP Method Allow Override Enabled” issues, you can use the following command:

Terminal window
vulnapi scan curl [url] --scans misconfiguration.http_method_override

To remediate this issue, you should disable the HTTP Method Override feature on the API or intermediate proxy. You can do this by configuring the server to only accept the expected HTTP methods (GET, POST, PUT, DELETE, etc.) and reject any other methods that are not explicitly allowed.

If you can not disable the HTTP Method Override behavior, ensure you implement proper access controls and validation checks to prevent unauthorized actions and that controls are not impacted by the method overriden. To do so, the usual way is to perform the checks before the method override is applied.