# 6.1.1 HTTP Method Tampering ## HTTP Method Tampering HTTP Method Tampering is a type of security vulnerability that can be exploited in web apps, that occurs when an attacker manipulates the HTTP request method used to interact with a web server. HTTP Request typically use methods like GET, POST, PUT, DELETE, OPTIONS, etc to perform specific actions on a web application. ### Examples of HTTP Method Tampering Various situation and examples can be: * Changing a GET request to a DELETE request: if the application doesn't properly validate the method used, it might inadvertently delete data when we try to retrieving it. * Changing a POST request to a GET: it could expose sensitive data that should only be accessible via a POST request. We can do it using Burp Repeater or Curl utility as below: See allow method information -> `curl -v ` And specify request options using -X (default is GET) -> `curl -v -X OPTIONS `
Good new, more methods are allowed, then we can upload everything `curl /uploads/ --upload-file shell.php` and open shell.php file uploaded into \/uploads/ --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dev-angelist.gitbook.io/ewptv2-notes/readme/5.5-other-common-web-attacks/6.1-http-attacks/6.1.1-http-method-tampering.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.