feat(scan): --method-override mutator for HTTP verb-tampering 403/401 bypass#21
Merged
Conversation
…/401 bypass Adds the HTTP verb / method-override access-control bypass mutator, the canonical "method bypass" technique that completes the access-control bypass family alongside --forbidden-bypass (path matching) and --csrf-header (CSRF token). It attacks which HTTP verb the access-control layer evaluates. Three technique families, every variant keeping the caller's own credentials (no identity swap): - override-header: inject X-HTTP-Method / X-HTTP-Method-Override / X-Method-Override naming a verb that crosses the safe/unsafe boundary while leaving the request-line verb unchanged - verb-swap: change the request-line method to a sibling verb the gateway may not gate (GET <-> HEAD/OPTIONS/POST, writes <-> GET/PUT/PATCH); never re-emits the original verb - case-toggle: flip the verb case (GET -> get) to defeat case-sensitive matchers Findings are class authz-bypass (ASVS V8.3.x, severity high), riding the existing comparative ladder unchanged. Pure/deterministic so --dry-run and the offline corpus cover it for free. Off by default (verb-swaps re-issue under state-changing methods), registered inert so DefaultRegistry order is unchanged. Tests: 14 new test functions (12 mutator + 2 buildRegistry gating). All existing buildRegistry call sites updated for the new signature argument. README and CHANGELOG updated. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the HTTP verb / method-override access-control bypass mutator (
--method-override), the canonical "method bypass" technique that completes possession's access-control bypass family alongside--forbidden-bypass(path matching) and--csrf-header(anti-CSRF token). It attacks which HTTP verb the access-control layer evaluates.This was chosen over the alternative POST_V01 option (HTTP/3 QUIC probing): QUIC would require a transport-layer rewrite of the replay engine, violating the "don't change the defining architecture" constraint, whereas method-override is a pure mutator that drops cleanly into the existing pure-mutator + comparative-ladder design. POST_V01.md does not list either option (it is stale relative to recent rotations), so this fills the assessed gap directly. Verified absent in the codebase before implementing.
Three technique families (every variant keeps the caller's own credentials — no identity swap)
X-HTTP-Method,X-HTTP-Method-Override, orX-Method-Overridenaming a verb that crosses the safe/unsafe boundary (safe GET/HEAD/OPTIONS → POST; any write → GET), while leaving the request-line verb unchanged. Frameworks that honour the override header dispatch the overridden verb to the handler the gateway gated by request-line method.GET→get) to defeat a case-sensitive gateway matcher fronting a case-insensitive router.Properties
authz-bypass(ASVS V8.3.x, severity high), riding the existing comparative ladder unchanged.--dry-runand the offline corpus cover it for free.DefaultRegistryorder — and its order test — is unchanged.base.Method, so verb swaps work end-to-end with zero engine changes.Tests
internal/mutate/method_override_test.go+ 2 buildRegistry gating tests ininternal/cli): off-by-default, nil-safe, credential-preservation, header/verb-swap/case-toggle technique coverage, empty + unknown-verb handling, determinism, sorted-order, andtoggleMethodCaseunit coverage.buildRegistrycall sites updated for the new trailing argument.go test ./... -racegreen;go vetandgofmtclean.Test plan
go build ./...go test ./... -race(all packages pass)go vet ./...cleangofmt -lclean on all touched files--method-override --dry-runemits header + verb-swap + case-toggle variants on the example corpus🤖 Generated with Claude Code