Skip to main content

How to find OPTIONS method Enable Vulnerability

How to find OPTIONS method Enable Vulnerability

Today we are going to Learn various techniques to find OPTIONS Method Enable in Web-Application. To find HTTP Protocol methods and the tools used to extract those available HTTP methods in a web server. The HTTP protocol comprises of a number of methods that can be utilized to not only gather the information from the Web server but can also perform specific actions on the Web server. These techniques and methods are helpful for web application developers in the deployment and testing stage of web applications.

GET and POST is the most well-known methods that are used to access and submit the information provided by a web server, respectively. HTTP Protocol allows various other methods as well, like PUT, CONNECT, TRACE, HEAD, DELETE. These methods can be used for malicious purposes if the webserver is left misconfigured and hence poses a major security risk for the web application, as this could allow an attacker to modify the files stored on the webserver.

OPTIONS: The OPTIONS method is used to request the available HTTP methods on a web server.

GET: GET request is the most common and widely used method for websites. This method is used to retrieve the data from the Web server for a specific resource. As the GET method only requests for the data and doesn’t modify the content of any resources, it’s considered to be safe.

POST: POST requests are used to send (or submit) the data to the Web server to create or update a resource. The information sent is stored in the request body of the HTTP request and processed further. An example illustrating the same is the “Contact us” form page on a website. When we fill a form and submit it, the input data is then stored in the response body of the request and sent across to the server.

PUT: The PUT method allows the end-user (client) to upload new files on the Web server. An attacker can exploit it by uploading malicious files or by using the victim’s server as a file repository.

CONNECT: The CONNECT method could allow a client to use the web server as a proxy.

TRACE: This method echoes back to the client, the same string which has been sent across to the server, and is used mainly for debugging purposes.

HEAD: The HEAD method is almost similar to GET, however without the message-body in the response. In other words, if the HTTP request GET /products return a list of products, then the HEAD /products will trigger a similar HTTP request, however, won’t retrieve the list of products.

DELETE: This method enables a client to delete a file on the Web server. An attacker can exploit it as a very simple and direct way to deface a Web site or to perform a DoS attack.

Now let us use some tools to identify the HTTP methods enabled or supported by the Web server.
  • cURL
  • Nikto
  • Nmap
  • Nmap Automator
  • Netcat
  • Burpsuite

cURL

The cURL is a command-line tool to get or send the data using the URL syntax and is compatible with various well-known protocols (HTTPS, FTP, SCP, LDAP, Telnet etc.) along with command line (CLI) options for performing various tasks (Eg: User authentication, FTP uploading, SSL connections etc). The cURL utility by default comes installed in most of the distributions. However in case, cURL is not installed, then we can install the same via apt-get install curl command. For more details refer to Below URL.

Through the cURL command we can identify the HTTP Options available on the target URL as follows:

curl -v -X OPTIONS IP address or site name




Nikto

Nikto is a Web server scanner that tests Web servers for dangerous files/CGIs, outdated server software and other issues. It performs generic and server types of specific checks.

Through the Nikto command we can identify the HTTP Options available on the target URL as follows:

nikto -h IP address or site name



Nmap

Nmap is a free and open-source security scanner, used to discover hosts and services on the network. This is another method of checking which HTTP methods are enabled by using an NMAP script called http-methods.nse, which can be obtained from https://nmap.org/nsedoc/scripts/http-methods.html.

Let us use NMAP command to enumerate all of the HTTP methods supported by a web server on the target URL as follows :

nmap --script http-methods IP address or site name

OR

nmap --script http-methods --script-args http-methods.url-path='/website' <IP address>




Comments

Popular posts from this blog

CEH V11 vs CEH V10 Difference

 CEH V11 vs CEH V10 Latest Certification By EC-Council CEH V11 is recently introduced by EC-Council as the Latest Basic Certificate for Cyber Security As Certified Ethical Hacker V11. But many of you want to the Key difference between CEH V11 vs CEH V10. What are the changes are brought for the CEH V11?  Let's find out. CEH V11 has introduced with Adhering to their approach of thinking like a hacker, EC-Council is all set to launch the latest version of CEH: CEH v11, adding in the curriculum the latest advancements in the field of cybersecurity. Domains have been kept intact, but new segments have been introduced with the addition and removal of a few topics. The latest version will see the addition of OT Technology, Serverless Computing, WPA3 Encryption, APT, File less Malware, Web API, and Web Shell on the list. On the practical aspects, the OS used for labs includes Windows 10, Windows Server2016, Parrot Security, Windows Server2019, Android, and Ubuntu Linux. CEH V 11 will teac

MIUI 12 Theme Editor

Design Your MIUI 12 Themes With New MIUI Theme Editor For MIUI 12. Download New Version Here! Designing a User Interface is not an easy task to do. A person needs to have creativity in mind along with intuitive instinct to create a sleek UI design. Not all people are good at design. However, with just enough tools to use, anyone can now design their own theme bundling their own UI styles. You might have enough design skills and good art instincts. However, you won’t be able to manifest that design without a proper tool. Actualizing a design concept into a usable theme needs a certain level of coding skills. The MIUI Theme Editor allows you to customize almost any aspects of the MIUI user interface (UI). You can configure the general apps’ icons and system apps’ icons. You can also specify the default wallpaper image used within the theme. Furthermore, the lock screen and home screen areas are also customize-able. Even deeper, you can also adjust the appearance of all not

Windows 10 Pro Product key

🧿 Windows 10 Pro Product key Gifted by: https://t.me/academyhackers Easy Activation Method During installation, you'll be prompted to enter a product key. Or, after installation, to enter the product key, select the Start button, and then select Settings > Update and Security > Activation > Update product key > Change product key. Windows 10 Pro Activation Keys MDNJY-M762C-XJM2B-HJ27C-8XCKM 9YDD4-6NPTY-VMWRQ-PMGWX-MG9TY YBWN7-J39MW-9F4BQ-XQTBF-KBT6T QDCBF-NF846-KTKFG-DYP2K-66PKG If anyone is not being able to activate the windows then they must have been using a cracked version of windows before. You can deactivate your crack version by using the following command and then use a genuine key. To deactivate: Run Command prompt as Administrator,  and copy-paste/type following command, slmgr.vbs -upk          ←This command Have a great day and Good Luck! ♻️Share love with your loved ones.

Odoo Interview Question answer

        Interviewing Odoo Question answer   Odoo is very specific software with very specific requirements. Odoo is ERP and Odoo developer should be an ERP developer.  ODOO , formerly known as  OpenERP  (Enterprise Resource Planning), is a platform that companies can  use  to easily manage the basics of the company such as materials and warehouse management, human resources, finance, accounting, sales and many other enterprise features. List of Things Every Odoo Developer Should Know The knowledge of Python itself. Before learning Odoo he must master the Python language. Besides, the knowledge of OOP and understanding of model-view-controller patterns are must-have, as these are strongly used by Odoo. Strong JavaScript skills. Even though, Odoo is “all in one”, modern browsers do not understand Python scripts. And frontend part is written on JavaScript. XML/HTML. This technology will be used more often than JavaScript. Odoo authors have done all they could to minimize y

Redmi Note 8 Latest Update 2020 Miui 11.0.5.0 (PCOINXM)

  Redmi Note 8 Latest Update 2020 Miui 11.0.5.0 Miui 11.0.5.0. (PCOINXM) On 3-06-2020 Redmi Note 8 got its OTA update for Indian version with lots of changes in the security but not in animation. We taught UI will be changed but there are no changes as MIUI 12. To know How to Update click on this   Miui 11 How to update .   

How to add ads.txt in Blogger

How to add ads.txt in Blogger when you get Earnings at risk – You need to fix some ads.txt file issues to avoid severe impact on your revenue. When you are Qualified for Adsense and you get a notification that Earnings at risk – You need to fix some ads.txt file issues to avoid severe impact to your revenue. To solve this problem Just Click On Fix Now or it will take you to the Site page. As you can See in the above image there is Download TAB just Click on that the ads.txt file will be downloaded automatically or  Click On Account  → Account Information you will get Publisher ID. Now Just Copy paste your Publisher ID in this format. google.com, pub-your ID, DIRECT, f08c47fec0942fa0 Now go to the Blogger settings page → Monetisation → Custom ads.txt Copy-paste  google.com, pub-your ID, DIRECT, f08c47fec0942fa0 over there and save it. To check whether you have added ads.txt successfully you can write your  https://yourdomainname.com/ads.txt it will reflect the same text in it if it fa

How to change Mac Address of any Laptop or PC TMAC 2020

Mac Address changing Software for windows    To hide the Mac address of your Laptop or Pc is a little bit tricky. But I will tell you the easiest way to change the Mac Address of your Laptop or PC  WiFi Adapter.  As you know that the Mac address of the WiFi Adapter is unique for all the devices such as laptop, mobile or any device connected to the internet. To change the Mac Address of your Laptop & Pc follow the steps below. Step 1:  Download   TMAC  Software. ( Click on Tmac) Step 2:  Install the Tmac software. Step 3: Now click on Random MAC Address or select from drop-down option and click on Change Now . You can also type your mac address in the Random Mac address and save it on  Change Now . It is done your Mac address is permanently changed till you have not formatted the system or change to Restore Default. Step 4: To Restore your default mac address just click on Restore Default button it will change automatically to factory default mac address. 

How to install Burp Suite Professional for free on Windows

How to install Burp Suite Professional for free on Windows As this is an illegal way to use Burp Suite I am not responsible for it. It is just for educational purpose information. Burp Suite is an integrated platform for performing security testing of web applications. It is designed to be used by hands-on testers to support the testing process. Here we will see how you can install it for free on your Windows 7/8/10 64-bit machine. Requirements:   Java JDK   Burp Suite Pro Zip   Burp Suite Latest Version After you have downloaded both the files, follow these steps: * Run the downloaded file JDK-13.0.2_windows-x64_bin.exe and let it install. * Search environment in the Windows search bar. You will see a match for Edit the system environment variables . Open it and then click the Environment Variables button at the bottom. You will see a window containing a part like this: Under the System variables tab, click New and add the following variables: Variable name: CLASSPATH Variable valu

Redmi K20 Pro Latest Update 2020 Miui 11.0.6.0.QFKINXM

Miui 11.0.6.0.QFKINXM On 1-06-2020 Redmi K20 pro got its OTA update for Indian version with lots of changes in the security and animation UI But there are no changes as MIUI 12 We thought   Miui 11 How to update  . 

Xiaomi Mi Notebook 14 series in India

Xiaomi Mi Notebook Price, Specifications, India Launch Live Updates: Xiaomi launched Mi Notebook 14 and Mi Notebook 14 Horizon Edition in India. Here are the details and price of all variants. The Mi Notebook 14 comes in three variants : the base model with 8GB DDR4 RAM + 256GB SATA SSD priced at Rs 41,999 , 8GB RAM + 512GB SATA SSD priced at Rs 47,999 , and top-end model with 8GB RAM, 512GB SATA SSD, + NVIDIA GeForce MX250 priced at Rs 47,999 . Notably, these are inaugural pricing until July 16 and are subject to change. There are two options within the Horizon Edition line to choose from, and the main  difference between them  is the CPU. If you choose the Intel Core i5-10210U  variant, you'll also get a 512GB SATA SSD, and the price will be  Rs. 54,999 . The version with the  Core i7-10510U  and faster 512GB NVMe SSD would seem to be much better valued at  Rs. 59,999 . The higher priced model also has a USB Type-C port while the lower one doesn't. KEY SP