The HTTP Verb Tampering rule detects whether a REST service properly validates HTTP verbs sent in requests to that service. It runs when a Penetration Testing Tool is attached to a REST Client. If a service definition is associated with the request defined in the REST Client, then the rule checks HTTP verbs that are not defined in the service definition for the matching resource. A service definition can be associated in one of two ways:
- The Service Definition field in the REST Client is set to OpenAPI/Swagger, RAML, or WADL and the corresponding URL field is configured.
- If the Service Definition field in the REST Client is set to None, you can enable the "API Coverage" section in the Execution tab of the test configuration used to run the tests. You should uncheck the "Referenced by tests" option and specify a service definition that includes the resources to be tested. This option is useful for the case where REST Clients are configured without service definition information.
This vulnerability is reported when the application responds improperly to a resource defined in a service definition (such as OpenAPI or RAML) but made with an HTTP verb that was not included in the service definition. An attacker may be able to access data in the application that should otherwise be protected by modifying a known request to include a different HTTP verb in order to bypass access restrictions.
Solution
Define an allowed list of permitted HTTP verbs for each resource in the application, and include all of them in a service definition for the application (such as OpenAPI or RAML). Reject all requests that do not match what is defined in the allow list and/or the service definition with HTTP response code "405 Method Not Allowed". Make sure the caller is authorized to use the incoming HTTP verb for the resource specified in the request.
References