.png)
1 week ago
36 BOOK THIS SPACE FOR AD
ARTICLE AD
In the ever-changing field of cybersecurity, being vigilant is essential. Every technological development raises the possibility of the emergence of new vulnerabilities. The manipulation of HTTP methods is one such vulnerability that has recently come to light and puts sensitive data and user credentials at risk. This flaw, called “Method Swapping,” takes use of the interchangeability of HTTP methods to quickly and easily carry out illegal operations, such canceling user accounts.
HTTP (Hypertext Transfer Protocol) governs the communication between clients and servers on the World Wide Web. It defines a set of request methods to indicate the desired action to be performed for a given resource. Common HTTP methods include GET, POST, PUT, and DELETE, each serving a distinct purpose:
GET: Retrieves data from the server.POST: Submits data to be processed to the server.PUT: Updates a resource on the server.DELETE: Removes a resource from the server.But nobody ever explores the potential of these methods in a route.
I discovered a vulnerability that allowed me to delete any user’s account simply by changing the request method
Example:
GET /users/1 HTTP/2
Host: website.com
Response:
HTTP/2 403 Forbidden
BUT if I change the method?? 🤔
Request:
DELETE /users/1 HTTP/2
Host: website.com
Response:
HTTP/2 200 OK
WHAT? It’s worked!! I have deleted account of user 1.
I recommend that instead of looking for something more complex, sometimes the simplest thing is something critical.
![what is RCE-[Remote code Execution]❓](https://miro.medium.com/v2/resize:fill:88:88/1*wJvUabMco6N48V0igs_lLQ.jpeg)
Bengali (Bangladesh) · 
English (United States) ·