Skip to content

The Unexpected Consequences of Getting What You Wish For

Original Post: Be careful what you request for

HTTP Verbs

HTTP supports custom verbs beyond the standard GET and POST, as outlined in RFC2616, Section 9. This flexibility can lead to vulnerabilities if not handled properly.

OOPS HTTP/1.1

An XSS vulnerability example in Django apps illustrates the risk. A Django view checks the request.method and returns a HttpResponseBadRequest if it’s not GET or POST, reflecting the method in the response message. This can be exploited using crafted HTTP verbs, parsed and uppercase-transformed by HTTP protocols.

Special crafted payloads (e.g., <A/HREF="HTTPS://GOOGLE.COM">BACK</A>) can bypass such restrictions. Although modern browsers restrict unusual HTTP verbs, reflecting request.method is still risky.

Security Measures

Use tools like Semgrep to scan code for this pattern, ensuring request.method is not reflected in responses. Example rules are provided to detect and prevent such vulnerabilities.

For more information, visit Semgrep and Semgrep GitHub.

Go here to read the Original Post

Leave a Reply

Your email address will not be published. Required fields are marked *

Exit mobile version