вот вот про это где можно почитать, на русском

By manipulating the HTTP verb it was possible to bypass the authorization on this directory. The scanner sent a request with POST HTTP verb and managed to bypass the authorization. An application is vulnerable to HTTP Verb tampering if the following conditions hold:

it uses a security control that lists HTTP verbs

the security control fails to block verbs that are not listed

it has GET functionality that is not idempotent or will execute with an arbitrary HTTP verb

For example, Apache with .htaccess is vulnerable if HTTP verbs are specified using the LIMIT keyword:

является ифективным методом атаки?