Bypassing VBAAC with HTTP Verb Tampering

Posted by Arshan Dabirsiaghi

How to inadvertenly allow attackers full access to your web application

Many web environments allow verb-based authentication and access control (VBAAC). The rule for these security controls involve using the HTTP verb (also called method), such as GET or POST, as part of a security decision.

Download paper