Trusting HTTP Permission Methods on the Server Side
This vulnerability occurs when a server incorrectly assumes that HTTP GET requests are always safe and cannot change server-side data. Attackers can exploit this flawed assumption to bypass security controls and perform unauthorized actions like modifying or deleting resources.
HTTP methods like GET are designed by specification to retrieve information without side effects, leading developers to sometimes rely on them as a security boundary. The problem is that the protocol itself doesn't enforce this; it's entirely up to the application code. Developers can—and often do—program their endpoints to accept GET requests that create, update, or delete data, especially in REST APIs. If access controls are only checked for methods like POST, PUT, or DELETE, attackers can simply use a GET request to perform the same dangerous actions. You must enforce authorization checks based on the user's permissions and the action's intent, not the HTTP method used. Never assume that POST, PUT, or DELETE are the only methods capable of altering state. Your security logic should validate every request, regardless of whether it's a GET or another method, to ensure the user is authorized for the specific operation they are trying to perform.
Impact: Gain Privileges or Assume Identity
An attacker could escalate privileges.
Impact: Modify Application Data
An attacker could modify resources.
Impact: Read Application Data
An attacker could obtain sensitive information.
High