HTTP Methods

HTTP offers a number of methods (or verbs) that can be used to perform actions on the web server. While GET and POST are by far the most common methods that are used to access information provided by a web server, there are a variety of other methods that may also be supported, and can sometimes be exploited by attackers.

Vulnerability description for reporting available in VulnDB (GitHub)

Common HTTP Methods

  • HEAD
  • GET (read)
  • POST (create)
  • PUT/PATCH (replace/update)
  • DELETE (to delete a record)
  • TRACE
  • CONNECT
  • ANY OTHER CUSTOM STRING

Discover Supported HTTP Methods

Discover supported HTTP methods for each API endpoint found. Server will respond with 405 Method Not Allowed if the requested method is not appropriate for the requested resource.

If the PUT method is supported, see File Upload.

The TRACE method can send back server cookies! Which bypasses HTTP_ONLY cookie flag… This can be sent to another server to steal cookies.

Burp Suite

Send the request to the Repeater module. The Intruder module can also be used with a list of HTTP methods.

OPTIONS /api/endpoint HTTP/2
Host: victim.com
HTTP/1.1 200 OK
Allow: OPTIONS, GET, HEAD, POST

Nmap scripts

IP=x.x.x.x
nmap -p 443 --script http-methods $IP

Curl

curl -X OPTIONS https://victim.com

Netcat

nc www.victim.com 80 
OPTIONS / HTTP/1.1
Host: www.victim.com