Post

RootMe - HTTP Verb Tampering

RootMe challenge walkthrough - HTTP - Verb Tampering

Posted Updated
Preview Image
By Mustafa Eltayeb
1 min read

RootMe – HTTP - Verb Tampering

Mission
Bypass the security establishment.

Analysis

  • A login form pops up as a window when opening the challenge.
  • Closing the window or attempting normal access results in an Authorization Required message.
  • The server likely restricts access based on HTTP method (e.g., only allows certain verbs like GET).

Solution steps

  1. Start Burp Suite and intercept the initial request (likely a GET).

  2. Change the request method from GET to POST → server responds with 401 Unauthorized.

  3. Try other HTTP methods: PATCH, HEAD, PUT, DELETE, etc.

  4. Using PATCH method succeeds → password is returned in the response.

Key takeaway
Many web applications implement access controls only for common methods (GET/POST) and fail to restrict others like PATCH, PUT, or DELETE. This is a classic HTTP verb tampering vulnerability — always test alternative HTTP methods when facing authorization blocks.

Finished. Happy Hacking!

Follow me:

Root Me, web server
RootMe CTF Web HTTP VerbTampering Methods
This post is licensed under CC BY 4.0 by the author.