HTTP Methods Tampering and using automated bash script to verb tamper.

HTTP Verb Tampering

Okay, so I had done some research on verbs tampering lately, and most of you could get this information in the floating web. What’s not included is the fact that there are really three relevant methods to tamper and byass the VBAAC (Verb Based Authentication and Access Control) which is a security descriptor in and contains a security rule specified under certain web environments. To make the process easy and flexible, here is a small bash script one could use:



The 3 possible ways to bypass VBAAC are:

a.) Via the HEAD Verb (as a request method)

b.) Via any arbitary method (but the calling function should not rely on a servlet {HttpServlet} but instead any service e.g: JSP service etc .. )

c.) Insecure Security Constraints on vendor based security rule descriptors.

The following code would take you (as a web application penetration tester) to test if certain entry points using common request methods are allowed are not, if allowed, you would be prompted with the “RESPONSE” with use of “OPTIONS” as a request header (if at all OPTIONS is allowed, obviously!), if not, this script would try to get response for all the provided methods in the ‘webservmethod’, if methods are not allowed, you would see “Method Not Allowed” in the response.


for webservmethod in OPTIONS  GET  POST  PROPFIND ;
printf "$webservmethod";
printf " ";
printf "$webservmethod / HTTP/1.1nHost:$1nn"|nc $1 80 | grep "200";

Consider giving this script a

‘chmod +x’

Also consider not using special chars in-between, it highly is sensitive to the $1 and Host: input fileds. Enjoy!