Tuesday, August 28, 2018

verb tunneling

POST to an endpoint and then use the X-HTTP-Method-Override header to swap the POST to another verb like so per this example:

POST /drive/items/{item-id} HTTP/1.1
Host: api.onedrive.com
X-HTTP-Method-Override: DELETE

 
 

This has a how to on blocking specific headers to remove this as a security hole.

No comments:

Post a Comment