Expand description
HTTP method-override confusion: framework re-interprets the
request method from X-HTTP-Method-Override header (3 name
variants), _method form field / query / multipart, chunked
trailer, or header+form disagreement. Wire method shown to WAF
is POST; framework executes DELETE/PUT/PATCH/etc.
HTTP method-override confusion library.
Web frameworks accept “method override” hints — extra ways for a client behind a form (which only emits GET / POST) to request a PUT / DELETE / PATCH / etc. The hint comes in via four channels:
X-HTTP-Method-Overrideheader (Rails, Express, Django, Symfony, Spring, ASP.NET). Some frameworks also acceptX-HTTP-Method,X-Method-Override._methodform field (Rails, Laravel — emitted by Rails<%= form_with method: :delete %>helpers)._methodquery parameter (Rails fallback when the request is a POST without a form-encoded body).HTTP_X_HTTP_METHOD_OVERRIDEenv var (CGI bridges that pass headers as env vars; older PHP / Perl deployments).
The WAF’s threat model is usually based on the WIRE METHOD. If
the wire shows POST /resource, the WAF applies POST rules. But
the framework re-interprets the request as DELETE /resource
and the action runs. Attacker reaches an authenticated
DELETE /admin/user/123 while the WAF saw POST /admin/user/123
and didn’t fire its DELETE-against-admin rule.
This library produces the WIRE BYTES for every override channel, plus a few exotic variants:
- Case-variant override:
X-HTTP-Method-Override: dElEtE. Frameworks usually upper-case before dispatch; WAFs that blocklistDELETEliterally miss. - Whitespace-padded override:
X-HTTP-Method-Override: \tDELETE. - Duplicate override header: two
X-HTTP-Method-Overridelines with different methods. RFC says concatenate with comma; frameworks split on comma and pick first / last differently. - Override-via-trailer: HTTP/1.1 chunked-trailer with
X-HTTP-Method-Override. Some frameworks read trailers; WAFs typically don’t. - HTTP/2
:methodsmuggled viaX-HTTP-Method-Override:POSTon the H2 pseudo-header + DELETE in the override custom header. - Form-field override with multipart:
_methodin a multipart field that the WAF parses as a text field but the framework parses as a directive.
Output contract: each function returns just the relevant header line or form-field bytes. The operator composes them into a complete request.
Functions§
- all_
override_ variants - Build a one-shot fan-out: every override channel for the same target method. Returns ~12 variants the operator can fire to learn which channels the target honors.
- chunked_
trailer_ override - HTTP/1.1 chunked trailer override. The header block looks like a plain POST; the framework reads the trailer after the chunked body and finds DELETE.
- form_
field_ method - Form-field
_methodoverride (urlencoded body). Used by Rails and Laravel form helpers. - header_
plus_ form_ disagree - Combine BOTH header AND form field with DIFFERENT methods. Framework precedence varies: Rails uses form, Express depends on configuration order. Catches every framework with one shot.
- multipart_
method - Multipart
_methodfield — sends as multipart/form-data so the WAF that only inspects form-urlencoded misses it. - override_
header - Build an
X-HTTP-Method-Overrideheader line that hints DELETE (or any caller-supplied method) while the wire method is POST. - override_
header_ alt - Alternate header name:
X-HTTP-Method. Used by some Rails stacks and ASP.NET WebAPI. - override_
header_ case_ mix - Case-mixed method value to defeat case-sensitive WAF blocklists.
- override_
header_ duplicate - Duplicate-header smuggle. Two header lines with different method values — front-end and back-end disagree on which wins.
- override_
header_ express - Another alternate:
X-Method-Override. Used by Expressmethod-overridemiddleware (default header name). - override_
header_ padded - Whitespace-padded variant — WAF may strip leading whitespace before logging but framework re-parses the value.
- query_
method - Query-string
_methodoverride (Rails accepts on POST requests when there’s no form body).