coreruleset · fzipi · Jan 26, 2026 · Jan 21, 2026 · Jan 22, 2026 · Jan 22, 2026
diff --git a/crs-setup.conf.example b/crs-setup.conf.example
@@ -479,6 +479,36 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 #    ver:'OWASP_CRS/4.23.0-dev',\
 #    setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
 
+#
+# -- [[ HTTP Method Override Parameter ]] -------------------------------------
+#
+# Many web frameworks (Laravel, Rails, Symfony, CakePHP, Express.js, etc.)
+# support overriding the HTTP method via a _method parameter in the query
+# string or request body. This allows HTML forms to simulate PUT, PATCH,
+# and DELETE requests.
+#
+# While this is legitimate framework behavior, it can be abused for:
+# - WAF bypass (sending POST with _method=DELETE)
+# - CSRF attacks bypassing SameSite=Lax cookie restrictions
+# - Method-based ACL bypass
+#
+# By default, CRS blocks _method parameter usage at PL2+. If your application
+# legitimately uses the _method parameter for method override, you can allow
+# it by uncommenting the rule below.
+#
+# Note: The X-HTTP-Method-Override header is handled separately by rule 920450.
+#
+# Uncomment this rule to ALLOW _method parameter for method override:
+#
+#SecAction \
+#    "id:900210,\
+#    phase:1,\
+#    pass,\
+#    nolog,\
+#    tag:'OWASP_CRS',\
+#    ver:'OWASP_CRS/4.23.0-dev',\
+#    setvar:'tx.allow_method_override_parameter=1'"
+
 # Content-Types that a client is allowed to send in a request.
 # Default: |application/x-www-form-urlencoded| |multipart/form-data| |text/xml|
 # |application/xml| |application/soap+xml| |application/json|

diff --git a/rules/REQUEST-901-INITIALIZATION.conf b/rules/REQUEST-901-INITIALIZATION.conf
@@ -249,6 +249,25 @@ SecRule &TX:restricted_headers_extended "@eq 0" \
     ver:'OWASP_CRS/4.23.0-dev',\
     setvar:'tx.restricted_headers_extended=/accept-charset/'"
 
+#
+# -=[ Method Override Parameter Configuration ]=-
+#
+# Initialize the allow_method_override_parameter variable.
+# This controls whether the _method parameter is permitted for HTTP method
+# override (used by frameworks like Laravel, Rails, Symfony).
+#
+# To allow _method parameter, set tx.allow_method_override_parameter=1
+# in crs-setup.conf (see rule 900510).
+#
+SecRule &TX:allow_method_override_parameter "@eq 0" \
+    "id:901510,\
+    phase:1,\
+    pass,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.23.0-dev',\
+    setvar:'tx.allow_method_override_parameter=0'"
+
 # Default enforcing of body processor URLENCODED (rule 900010 in crs-setup.conf)
 SecRule &TX:enforce_bodyproc_urlencoded "@eq 0" \
     "id:901167,\

diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
@@ -1556,6 +1556,54 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
         SecRule REQUEST_BODY "@validateUrlEncoding" \
             "setvar:'tx.inbound_anomaly_score_pl2=+%{tx.warning_anomaly_score}'"
 
+#
+# -=[ Rule 920650: HTTP Method Override via _method Parameter ]=-
+#
+# The _method parameter is used by several web frameworks (Laravel, Rails,
+# Symfony, CakePHP, Express.js, Phoenix, etc.) to override the HTTP method.
+# This allows HTML forms to simulate PUT, PATCH, DELETE requests which are
+# not natively supported by browsers.
+#
+# While this is legitimate framework behavior, it can be abused to:
+# - Bypass WAF rules that inspect based on HTTP method
+# - Bypass SameSite=Lax cookie restrictions for CSRF attacks
+# - Circumvent method-based access control lists
+#
+# This rule detects _method parameter in both query string and request body
+# when it specifies a potentially dangerous method (DELETE, PUT, PATCH, etc.).
+#
+# To allow _method parameter for applications that legitimately use it,
+# set tx.allow_method_override_parameter=1 in crs-setup.conf (see rule 900210).
+#
+# References:
+# - https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions
+# - https://blog.mindedsecurity.com/2016/01/request-parameter-method-may-lead-to.html
+# - https://www.sidechannel.blog/en/http-method-override-what-it-is-and-how-a-pentester-can-use-it
+# - https://laravel.com/docs/routing#form-method-spoofing
+# - https://guides.rubyonrails.org/form_helpers.html#how-do-forms-with-patch-put-or-delete-methods-work
+#
+SecRule TX:allow_method_override_parameter "@eq 0" \
+    "id:920650,\
+    phase:2,\
+    block,\
+    t:none,\
+    msg:'HTTP method override attempt via _method parameter',\
+    logdata:'Requested method override: %{ARGS._method}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-protocol',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'OWASP_CRS/PROTOCOL-ENFORCEMENT',\
+    tag:'capec/1000/210/272',\
+    ver:'OWASP_CRS/4.23.0-dev',\
+    severity:'CRITICAL',\
+    chain"
+    SecRule ARGS:_method "@rx ^[a-z]{3,10}$" \
+        "t:none,t:urlDecodeUni,t:lowercase,\
+        setvar:'tx.inbound_anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
+
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920015,phase:1,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
 SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:920016,phase:2,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.23.0-dev',skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
 #