From da5b6819c1c53514ef8743d7ab4c80187488f00b Mon Sep 17 00:00:00 2001
From: Dominique RIGHETTO <righettod@users.noreply.github.com>
Date: Tue, 2 Jul 2024 18:36:19 +0200
Subject: [PATCH] Add files via upload

---
 other/httpMethodOverrideCapability.bcheck | 36 +++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 other/httpMethodOverrideCapability.bcheck

diff --git a/other/httpMethodOverrideCapability.bcheck b/other/httpMethodOverrideCapability.bcheck
new file mode 100644
index 0000000..604e41a
--- /dev/null
+++ b/other/httpMethodOverrideCapability.bcheck
@@ -0,0 +1,36 @@
+metadata:
+  language: v2-beta
+  name: "HTTP method override capability detected"
+  description: "Check for the support for a request parameter or a request header allowing to override the HTTP method."
+  author: "Dominique Righetto"
+  tags: "active"
+
+define:
+  test_method = "OPTIONS"
+
+# To prevent causing any trouble on the target app then only apply the check on GET requests
+# Sources:
+# https://github.com/PortSwigger/param-miner/blob/master/resources/headers
+# https://github.com/PortSwigger/param-miner/blob/master/resources/params
+# https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/06-Test_HTTP_Methods
+# https://www.sidechannel.blog/en/http-method-override-what-it-is-and-how-a-pentester-can-use-it/
+given path then
+    if {base.request.method} is "GET" then
+        send request called checkOverrideSupport:
+            appending headers:
+                "x-method-override": `{test_method}`,
+                "x-http-method-override": `{test_method}`,
+                "x-http-method": `{test_method}`,
+                "request-method": `{test_method}`
+            appending queries:
+                `method={test_method}`,
+                `_method={test_method}`
+
+         if {checkOverrideSupport.response.headers} matches "(?i)allow:\s+[A-Z,]+" then
+            report issue:
+                severity: info
+                confidence: firm
+                detail: "Endpoints support a hidden parameter/header, allowing to override the HTTP method effectively used to handle the HTTP requests."
+                remediation: "Remove the support for the hidden request parameters/headers."
+        end if
+    end if
\ No newline at end of file