HTTP offers a number of methods (or verbs) that can be used to perform actions on the web server. While GET and POST are by far the most common methods that are used to access information provided by a web server, there are a variety of other methods that may also be supported, and can sometimes be exploited by attackers.
- Test HTTP Methods (OWASP Testing Guide, WSTG-CONF-06)
➡ Vulnerability description for reporting available in VulnDB (GitHub)
Common HTTP Methods
- HEAD
- GET (read)
- POST (create)
- PUT/PATCH (replace/update)
- DELETE (to delete a record)
- TRACE
- CONNECT
- ANY OTHER CUSTOM STRING
Discover Supported HTTP Methods
Discover supported HTTP methods for each API endpoint found. Server will respond with 405 Method Not Allowed if the requested method is not appropriate for the requested resource.
💡 If the PUT method is supported, see File Upload.
💡 The TRACE method can send back server cookies! Which bypasses HTTP_ONLY cookie flag… This can be sent to another server to steal cookies.
Burp Suite
Send the request to the Repeater module. The Intruder module can also be used with a list of HTTP methods.
OPTIONS /api/endpoint HTTP/2
Host: victim.comHTTP/1.1 200 OK
Allow: OPTIONS, GET, HEAD, POSTNmap scripts
IP=x.x.x.x
nmap -p 443 --script http-methods $IPCurl
curl -X OPTIONS https://victim.comNetcat
nc www.victim.com 80
OPTIONS / HTTP/1.1
Host: www.victim.com