Verb Smuggling

The HTTP specification defines a short list of possible request methods:

  • GET

  • HEAD

  • POST

  • PUT

  • DELETE

  • CONNECT

  • OPTIONS

  • TRACE

  • PATCH

These request methods, also informally known as verbs, were intended to cover the gamut of client/server interactions.

At the same time, vanilla HTTP links and forms can only make use of two of these: GET for links, and POST for forms. This can be a problem, as a link may serve a different function (such as delete), and a form submission may be a POST to create a entity, or a PUT to update an entity.

Of course, in modern web applications, this is less important, as all the critical interactions will be driven from client-side code or via web sockets.

Verb smuggling is a compromise; it allows ordinary HTTP links and forms, but defines a query parameter that "smuggles" in the true request method. The method-param interceptor extracts that query parameter value, converts it to a keyword, and updates the request map :request-method key.

By default, the query parameter name is _method, but this can be configured in the service map. It can even be configured to smuggle the verb via an HTTP header or a value stored in the request body.