How does HTTP verb Tampering bypass Authentication in Web Applications?

HTTP verb tampering is a technique used by attackers to bypass authentication or authorization controls in web applications by exploiting misconfigurations related to HTTP methods (verbs). Web servers typically handle common HTTP verbs like GET, POST, PUT, and DELETE. However, if an application has misconfigured access controls for certain HTTP verbs, an attacker may manipulate these verbs to gain unauthorized access.

For example, an application may enforce authentication for POST requests but needs to enforce the same rules for less common HTTP verbs, like PUT or DELETE. An attacker can exploit this by sending a request with a different verb that bypasses the authentication check, allowing them to perform restricted actions.

To prevent HTTP verb tampering, developers must ensure that all HTTP methods are secured adequately with consistent authentication and authorization checks, regardless of the verb used in the request.