Authentication Bypass Using HTTP Verb Tampering or Body Parameters

Many web server allow access control using HTTP Methods, enabling access using one or more methods.

The problem is that many configuration implementation ALLOW access to method that are not listed in access control, so control breach.

Apache .htaccess avoid “LIMIT” directive. Use “LimitExcept” directive.

JAVA EE avoid using <http-method> in access control policy.

ASP.NET use <deny verbs=”*” users=”*”/> after allowing the whitelist of required work.

Prashant Singh