HTTP Method Override Enabled

Severity	Info - High
CVEs	CVE-2023-30845 (opens in a new tab) CVE-2023-29003 (opens in a new tab) CVE-2019-19326 (opens in a new tab)
Classifications	CWE-287: Improper Authentication (opens in a new tab)
OWASP Category	OWASP API8:2023 Security Misconfiguration (opens in a new tab)

HTTP Method Override is a feature that allows clients to override the default HTTP method used in a request. This feature is commonly used to perform actions on the server using HTTP methods other than GET and POST, such as PUT, DELETE, PATCH, etc. The HTTP Method Override feature is typically implemented using custom headers or query parameters that specify the desired HTTP method to be used.

This feature can be exploited by attackers to bypass security controls and perform unauthorized actions on the server.

What is the impact?

Attackers can exploit this feature to bypass security controls and perform unauthorized actions on the server. Some of the common attacks that can be performed using HTTP Method Override include:

CSRF attacks
Bypassing authentication
Bypassing access controls

How to test?

If you want to test only the "HTTP Method Allow Override Enabled" issues, you can use the following command:

vulnapi scan curl [url] --scans misconfiguration.http_method_override

How to remediate?

To remediate this issue, you should disable the HTTP Method Override feature on the API or intermediate proxy. You can do this by configuring the server to only accept the expected HTTP methods (GET, POST, PUT, DELETE, etc.) and reject any other methods that are not explicitly allowed.

If you can not disable the HTTP Method Override behavior, ensure you implement proper access controls and validation checks to prevent unauthorized actions and that controls are not impacted by the method overriden. To do so, the usual way is to perform the checks before the method override is applied.

References

GraphQL Introspection Enabled Tls