Be careful what you request for

HTTP verbs, commonly known as GET and POST, can actually be arbitrary, according to the HTTP/1.1 specification, which allows for custom verbs that can be manipulated and potentially exploited in applications. This potential vulnerability was discovered while scanning for cross-site scripting (XSS) in Django apps, where an HTTP request's method was not properly handled, leading to a possible XSS vulnerability. The issue arises because the HTTP protocol recognizes the first sequence of characters as the verb, and browsers transform these to uppercase, complicating traditional JavaScript injection attempts. This vulnerability can be detected using tools like Semgrep, which provides rules to identify security issues by scanning code for patterns that reflect user input without proper sanitization. Although modern browsers generally prevent exploitation through weird characters in HTTP verbs, vigilance is essential as attackers may still find creative ways to exploit such vulnerabilities.