HTTP Verb Tampering exploits Verb-Based Authentication and Access Control (VBAAC) mechanisms. When security rules explicitly list which HTTP methods are allowed, they inadvertently permit all unlisted methods. Attackers use HEAD, TRACE, or arbitrary strings like “JEFF” to bypass security constraints entirely.
The VBAAC Flaw (Java EE Example)
<security-constraint> <web-resource-collection> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint><role-name>admin</role-name></auth-constraint></security-constraint>
This rule intends to restrict /admin/* to admins. In practice, a HEAD or “JEFF” request bypasses the rule and executes the admin function without authentication.
Avoid Sending Sensitive Data via GET
# NEVER — card number is logged in clear text in server logs:http://www.example.com/process_card.asp?cardnumber=1234567890123456
Prevention Guidance
- Enable “deny all” as the default — protect all HTTP methods, not just listed ones.
- Remove all
<http-method>elements from web.xml to protect methods equally. - Configure the server to disallow HEAD requests entirely.
- Ensure all GET-accessible functions are idempotent (read-only, no state changes).
CISSP Made Easy 