Bypassing Web Authentication and Authorization With HTTP Verb Tampering: How to Inadvertently Allow Attackers Full Access to Your Web Application
Many web environments allow verb-based authentication and access control (VBAAC). The rules for these security controls involve using the HTTP verb (also called method), such as GET or POST, as part of a security decision. This rule limits access to the /admin directory to users with the "Admin" role. Many tutorials and public examples of secure configurations list POST, GET (and sometimes PUT) for the HTTP methods under which a security constraint applies. Unfortunately, almost all the implementations of this mechanism work in an unexpected and insecure way. Rather than denying methods not specified in the rule, they allow any method not listed. Ironically, by listing specific methods in their rule, developers are actually allowing more access than they intended.