Skip to main content

Module method_override

Module method_override 

Source
Expand description

HTTP method-override confusion: framework re-interprets the request method from X-HTTP-Method-Override header (3 name variants), _method form field / query / multipart, chunked trailer, or header+form disagreement. Wire method shown to WAF is POST; framework executes DELETE/PUT/PATCH/etc. HTTP method-override confusion library.

Web frameworks accept “method override” hints — extra ways for a client behind a form (which only emits GET / POST) to request a PUT / DELETE / PATCH / etc. The hint comes in via four channels:

  1. X-HTTP-Method-Override header (Rails, Express, Django, Symfony, Spring, ASP.NET). Some frameworks also accept X-HTTP-Method, X-Method-Override.
  2. _method form field (Rails, Laravel — emitted by Rails <%= form_with method: :delete %> helpers).
  3. _method query parameter (Rails fallback when the request is a POST without a form-encoded body).
  4. HTTP_X_HTTP_METHOD_OVERRIDE env var (CGI bridges that pass headers as env vars; older PHP / Perl deployments).

The WAF’s threat model is usually based on the WIRE METHOD. If the wire shows POST /resource, the WAF applies POST rules. But the framework re-interprets the request as DELETE /resource and the action runs. Attacker reaches an authenticated DELETE /admin/user/123 while the WAF saw POST /admin/user/123 and didn’t fire its DELETE-against-admin rule.

This library produces the WIRE BYTES for every override channel, plus a few exotic variants:

  • Case-variant override: X-HTTP-Method-Override: dElEtE. Frameworks usually upper-case before dispatch; WAFs that blocklist DELETE literally miss.
  • Whitespace-padded override: X-HTTP-Method-Override: \tDELETE.
  • Duplicate override header: two X-HTTP-Method-Override lines with different methods. RFC says concatenate with comma; frameworks split on comma and pick first / last differently.
  • Override-via-trailer: HTTP/1.1 chunked-trailer with X-HTTP-Method-Override. Some frameworks read trailers; WAFs typically don’t.
  • HTTP/2 :method smuggled via X-HTTP-Method-Override: POST on the H2 pseudo-header + DELETE in the override custom header.
  • Form-field override with multipart: _method in a multipart field that the WAF parses as a text field but the framework parses as a directive.

Output contract: each function returns just the relevant header line or form-field bytes. The operator composes them into a complete request.

Functions§

all_override_variants
Build a one-shot fan-out: every override channel for the same target method. Returns ~12 variants the operator can fire to learn which channels the target honors.
chunked_trailer_override
HTTP/1.1 chunked trailer override. The header block looks like a plain POST; the framework reads the trailer after the chunked body and finds DELETE.
form_field_method
Form-field _method override (urlencoded body). Used by Rails and Laravel form helpers.
header_plus_form_disagree
Combine BOTH header AND form field with DIFFERENT methods. Framework precedence varies: Rails uses form, Express depends on configuration order. Catches every framework with one shot.
multipart_method
Multipart _method field — sends as multipart/form-data so the WAF that only inspects form-urlencoded misses it.
override_header
Build an X-HTTP-Method-Override header line that hints DELETE (or any caller-supplied method) while the wire method is POST.
override_header_alt
Alternate header name: X-HTTP-Method. Used by some Rails stacks and ASP.NET WebAPI.
override_header_case_mix
Case-mixed method value to defeat case-sensitive WAF blocklists.
override_header_duplicate
Duplicate-header smuggle. Two header lines with different method values — front-end and back-end disagree on which wins.
override_header_express
Another alternate: X-Method-Override. Used by Express method-override middleware (default header name).
override_header_padded
Whitespace-padded variant — WAF may strip leading whitespace before logging but framework re-parses the value.
query_method
Query-string _method override (Rails accepts on POST requests when there’s no form body).