Skip to content

Next edition September 7th, 2026

Offensive security

HTTP Method Tampering

HTTP method tampering, also called verb tampering, is an attack technique where a request's HTTP method (GET, POST, HEAD, OPTIONS, PUT, DELETE, TRACE) is changed to bypass security controls that only protect specific methods. A common outcome is bypassing authentication or access controls that a developer configured for GET and POST only.

Author
Unihackers Team
Reading time
2 min read
Last updated

Why It Matters

Access controls often guard only the doors developers expect attackers to use. A login wall placed in front of GET and POST can leave HEAD, OPTIONS, PUT, and TRACE wide open, and an attacker who simply changes the verb walks straight in. Because the control still looks correct in a normal browser, where every request is a GET or a POST, this flaw can survive in production for years.

HTTP method tampering is a textbook form of broken access control, the number one risk in the OWASP Top 10, and it is trivial to test once you intercept a request with a proxy like Burp Suite.

How It Works

A protected admin path returns 401 in the browser. The tester captures the request and replays it with different methods, changing nothing else:

code
GET     /admin   ->  401 Unauthorized
POST    /admin   ->  401 Unauthorized
HEAD    /admin   ->  200 OK
OPTIONS /admin   ->  200 OK

The 200 on HEAD means the server processed the request as valid. The underlying misconfiguration usually looks like an Apache block that only lists two methods:

apache
<Limit GET POST>
  require valid-user
</Limit>

Everything not named, HEAD, OPTIONS, TRACE, and PUT, skips the authentication check entirely. A related variant abuses frameworks that route an unexpected method to the same handler but apply a different, weaker authorization path.

Why It Persists

The bug survives because developers reason about the two methods a browser actually uses and forget the rest of the HTTP specification. Allow listing feels safe, but any method left off the list inherits no protection. Load balancers, legacy mod_auth rules, and copied configuration snippets spread the same pattern across many applications.

How to Test for It

For every protected endpoint, replay the request through the full method set: GET, POST, PUT, DELETE, HEAD, OPTIONS, PATCH, and TRACE. Watch for any method that returns a 200 or a different body, and compare status codes carefully, since a 405 is healthy while a 200 on an unexpected verb is a finding. Arbitrary or made up methods sometimes reveal even looser handling.

Prevention

Enforce authorization on all methods by default and allow only the verbs an endpoint actually needs. Replace method specific configuration blocks with a deny by default policy, return 405 for unsupported methods, disable TRACE, and test every restricted endpoint with the full method set to verify the control cannot be sidestepped.

In the Bootcamp

How We Teach HTTP Method Tampering

In our Cybersecurity Bootcamp, you won't just learn about HTTP Method Tampering in theory. You'll practice with real tools in hands-on labs, guided by industry professionals who use these concepts daily.

Covered in:

Module 10: Penetration Testing and Ethical Hacking

Related topics you'll master:MetasploitNmapBurp SuitePrivilege Escalation
See How We Teach This

360+ hours of expert-led training • CompTIA Security+ included