I have been reading some Interesting articles regarding hacking the servers with HTTP methods..

I found it interesting,

As far as to my knowledge i had heard there were only 8 http methods ,

but after reading this page  (pardon me i am beginner to this web-sec )



I found it really interesting,they had mentioned about the usage of arbitrary http methods ,so it made interested ,

here are my questions:

1) how can i MANUALLY find , what are the http methods are being supported by a web-server?
I tried net catting to the ports on some sites,but i didnt got the list of methods being supported by the web-servers .

how can i find this manually? because i do know that tools like accunteix and some other tools can do it,but i do want to do it manually so that i can get some knowledge about how it is being done ?

2)can you guys please explain me from your experience about
Arbitrary HTTP Methods ,i tought there were only 8 methods in http.i never heard about these,so i tought it would be nice to ask you guys..

3)is it possible to compromise a web-server with a UNKNOWN HTTP method or using a HTTP method other than the 8 traditional methods ?

4)first how a web-server supports the usage of a http methods other than the specified 8 methods in the rfc ?can any 1 explain me ?

5)Also i would like to know,how a web-site is explicitly checking for GET or POST methods?

Also how can we identify this manually?


Sorry guys,i think i had asked too much of questions,but as i don't have deep knowledge about these things,i tought it would be better to ask here, hope my doubts will be get cleared...

I tried net catting to the ports on some sites,but i didnt got the list of methods being supported by the web-servers ,
also it seems like you said it seems OPTIONS method are disabled on those servers,Also i had seen in some tools like accunteix are displaying what kind of methods are enabled/supported  on a web-server ,how can we find this manually sir ?

still looking for answers 

If you know that Accunetix (or any other web vulnerability scanner) does it, why don't you capture the traffic or use a proxy to see all the request the tool is doing so you can learn how it works? This is a great way to learn.


Unless there is a backdoor that is activated through that unknown method, no. Pen Testing is not magic.


Vendors understand and implement RFCs in different ways.

As far as I know, the spider portion of Burp works no matter how large the site.  It may take longer to crawl, but it'll still work.  Here's how the spider portion of Burp works: http://portswigger.net/burp/spider.html

You can also use these tools to play with:
HTTP Options: http://attacks.intern0t.net/htopt/
TRACE: http://attacks.intern0t.net/xstrace/


In short, "htopt" simply sends the "OPTIONS" header for you, and keep in mind that not all servers includes this feature (request / function) for an unknown reason.

The "xstrace" program / tool, acts as a proxy between you and the target, so you can perform TRACE requests and see the result without an intercepting proxy or another tool.

i have been actively following you maxe,i have been already trying those tools from intern0t,very simple to use....

and atlast i had find it maxe

but this is the only question for which i still couldn't find a firm answer for it


Also how can we identify this manually?

or in other words

 when we are sending a request with a "Y" HTTP method to the server  instead of "X" HTTP method expected by  the server,how a web-server will explicitly check for this ?

Also if the server allows a "Y" method instead of the "X" method(which is actually expected by the server) does it pose any serious threat to the web-server?







Thanks for the information "Grendel",ill keep this in mind....

  <nods head in agreement>