-
Notifications
You must be signed in to change notification settings - Fork 110
/
httpMethodOverrideCapability.bcheck
36 lines (33 loc) · 1.68 KB
/
httpMethodOverrideCapability.bcheck
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
metadata:
language: v2-beta
name: "HTTP method override capability detected"
description: "Check for the support for a request parameter or a request header allowing to override the HTTP method."
author: "Dominique Righetto"
tags: "active"
define:
test_method = "OPTIONS"
# To prevent causing any trouble on the target app then only apply the check on GET requests
# Sources:
# https://github.com/PortSwigger/param-miner/blob/master/resources/headers
# https://github.com/PortSwigger/param-miner/blob/master/resources/params
# https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods
# https://www.sidechannel.blog/en/http-method-override-what-it-is-and-how-a-pentester-can-use-it/
given path then
if {base.request.method} is "GET" then
send request called checkOverrideSupport:
appending headers:
"x-method-override": `{test_method}`,
"x-http-method-override": `{test_method}`,
"x-http-method": `{test_method}`,
"request-method": `{test_method}`
appending queries:
`method={test_method}`,
`_method={test_method}`
if {checkOverrideSupport.response.headers} matches "(?i)allow:\s+[A-Z,]+" then
report issue:
severity: info
confidence: firm
detail: "Endpoints support a hidden parameter/header, allowing to override the HTTP method effectively used to handle the HTTP requests."
remediation: "Remove the support for the hidden request parameters/headers."
end if
end if