VERB TAMPERING EXPLAINED TO A NOVICE OR IN SIMPLE TERMINOLOGY.

As someone new to penetration testing, bug-bounty, ethical hacking, or even cybersecurity, you probably have been hearing of the word “VERB TAMPERING”, but often confused on what it means right? Let’s explain this first with the English sentence “WHAT IS A VERB”

From our primary school days as students, a quick way by which our teacher taught us “WHAT A VERB IS” or define the word “VERB” is: “A Verb, is an action word or a doing word.”  This implies that in any context a verb is used, it denotes an instruction/action, “Needed to be Performed”, “In Action”, or “Already performed.” Remember these three terminologies.

  • Needed to be Performed.
  • In Action or
  • Already performed.

From the perspective of a bug-hunter, penetration tester, ethical hacker, offensive security expert, web-application user, web-security experts etc. each time you access a web-application, mobile application to request a data, an action is taken. This action is also known as a “REQUEST”.

For example, when you request a webpage from www.fixitgearware.com , you are performing a “GET” action, activity, or request. This is known as a “VERB”, if the server is configured to accept such verb i.e. “GET” request, the server will respond with a “200-ok”, and the resources will be displayed to the user, otherwise a “403-Forbidden” status-code is triggered.

What-is-Verb-Tampering.png
Hackers are known to manipulate HTTP Request Methods using Verb Tampering. Image-Source: Fixitgearware

Understanding VERB TAMPERING:

In order to have a deeper understanding of “VERB TAMPERING”, let’s first list the verbs which are available actions also known as “HTTP Request Methods”, permissible by a web-server.

  1. GET: Method understood by server, that the requested resources should be fetched. This includes the message body or requested resources body content.
  2. HEAD: Performs the same action as the “GET”, however the message body is excluded, using this request method.
  3. POST: Submits data or content to the resources specified (e.g. forms, API, etc.). This request method usually effects a change on the web server.
  4. PUT: Replaces the current representation, of the targeted resources with the request payload. E.g. When a certain parameter is encoded, a payload supplied, and the “PUT” request method is used, that specific entity encoded, is replaced with the payload supplied to the encoded parameter.
  5. DELETE: Removes or deletes the specified resources from the webserver.
  6. CONNECT: Establishes a tunnel connection to the server which is identified by the target resources.
  7. OPTIONS: Displays the type of communication method acceptable by the webserver for the specific resources targeted. Using this HTTP request method, will display the type of action (verb, e.g. GET, PUT, etc), permissible on the webserver holding the specific resources accessed.
  8. TRACE: This request method is considered a loop-back test, which displays the path to the targeted resources. Hackers and bug-hunters can use this HTTP method, to reveal server information such as version, and possibly use this information to search for exploit codes.
  9. PATCH: This method enables the requested resources on the webserver to be partially modified.

Now, we have come to understand what these “VERBS” also known as “HTTP REQUEST METHODS” are, so then,

What Is VERB TAMPERING?

When a web-developer or software developer builds a website or application, certain security measures are put in place. These security measures define “Permissible Actions” or “HTTP Request Methods” that the webserver should honour, when a user tries to access specific resources.

A flaw in configuring the webserver, or an error in code designing could lead to certain detrimental actions to the database or webserver belonging to that particular web-application.

Example:

If a registration form which is supposed to have the “POST” request, allows “GET” request method, a hacker could intercept a request using a proxying tool, modify the header information, and replay this request. Depending on the “HTTP Request Method” used, it could lead to the server or database revealing information or data belonging to a legitimate user.  A clear flaw can be seen in API call, which may reveal PII’s of the customers belonging to the organization whose API-Resources, is being tampered with by the hacker.

Haven explained that we can then define verb tampering from a cybersecurity perspective, and web-application security perspective.

VERB TAMPERING DEFINED IN CYBERSECURITY:

“VERB Tampering from a cybersecurity perspective, can be defined as altering, manipulating, modifying, tricking, and interfering with a resource, evidence, or content with the sole aim of causing damage to the original content of that specific resource.” – BENEDICT CEO AND FOUNDER OF FIXITGEARWARE SECURITY.

VERB TAMPERING DEFINED IN WEB-APPLICATION SECURITY:

“VERB Tampering from a web-application security perspective, is the intercepting of a resource using a proxying tool such as Zapproxy, Burpsuite, Caidio, and altering the header information such as the HTTP Request Method type (i.e. GET, POST, etc), in other to trick, or manipulate the webserver or database holding the requested resources into taking damaging actions, that are pertinent to HTTP Request Method which has been modified by the user.” BENEDICT CEO AND FOUNDER OF FIXITGEARWARE SECURITY.

These action which involves “VERB TAMPERING”, arises due to lack of proper security configuration on the webserver, errors notably from bad software design principles, or lack of a good security personnel, integrated into the DevSecOps team. Various HTTP Request, can be used in “VERB TAMPERING”, to manipulate the server to take actions which is dependent on the altered or manipulated “Method Type (i.e. GET, PUT, etc.).”

REFERENCE:

Mozilla Firefox MDN Document: HTTP Methods Defined.

 

 

Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”

5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments