Method Tampering


Overview

Method Tampering can occur for several reasons. One is that developers sometimes fetch values using the "REQUEST" array. This allows the user to inject variables into either GET or POST and have the application process them. To cause parameter pollusion, a user can send parameters via POST which the developer thinks should be passed via the URL. The user could also pass a variable using both GET and POST. The application can be tricked by the bogus parameters.

YouTubeVideo Tutorials

Discovery Methodology

Determine parameters needed for a valid request. If the page submits requests via POST, change the method to GET and observe if the request works properly. Reverse GET requests as well.

Exploitation

Method tampering can help with filter bypass and make cross site request forgery easier.

Videos


YouTubeDetermine HTTP Methods using Netcat
YouTubeHow to list HTTP Methods with CURL
YouTubeHow to list HTTP Methods with NMap
YouTubeIntroduction to Method Tampering