Original Post: Be careful what you request for
HTTP Verbs
HTTP supports custom verbs beyond the standard GET and POST, as outlined in RFC2616, Section 9. This flexibility can lead to vulnerabilities if not handled properly.
OOPS HTTP/1.1
An XSS vulnerability example in Django apps illustrates the risk. A Django view checks the request.method and returns a HttpResponseBadRequest if it’s not GET or POST, reflecting the method in the response message. This can be exploited using crafted HTTP verbs, parsed and uppercase-transformed by HTTP protocols.
Special crafted payloads (e.g., <A/HREF="HTTPS://GOOGLE.COM">BACK</A>) can bypass such restrictions. Although modern browsers restrict unusual HTTP verbs, reflecting request.method is still risky.
Security Measures
Use tools like Semgrep to scan code for this pattern, ensuring request.method is not reflected in responses. Example rules are provided to detect and prevent such vulnerabilities.
For more information, visit Semgrep and Semgrep GitHub.
Go here to read the Original Post