Method Tampering |
Overview Method Tampering can occur for several reasons. One is that developers sometimes fetch values using the "REQUEST" array. This allows the user to inject variables into either GET or POST and have the application process them. To cause parameter pollusion, a user can send parameters via POST which the developer thinks should be passed via the URL. The user could also pass a variable using both GET and POST. The application can be tricked by the bogus parameters. Discovery Methodology Determine parameters needed for a valid request. If the page submits requests via POST, change the method to GET and observe if the request works properly. Reverse GET requests as well. Exploitation Method tampering can help with filter bypass and make cross site request forgery easier. Videos Click here to watch Determine HTTP Methods using Netcat Click here to watch How to list HTTP Methods with CURL Click here to watch How to list HTTP Methods with NMap Click here to watch Introduction to Method Tampering |