.

How to find the various http methods supported by a web-server MANUALLY ?

<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Sun Aug 21, 2011 11:41 pm

How to find the various http methods supported by a web-server MANUALLY ?

I have been reading some Interesting articles regarding hacking the servers with HTTP methods..

I found it interesting,

As far as to my knowledge i had heard there were only 8 http methods ,

but after reading this page  (pardon me i am beginner to this web-sec :) )

  Code:
https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29



I found it really interesting,they had mentioned about the usage of arbitrary http methods ,so it made interested ,

here are my questions:

1) how can i MANUALLY find , what are the http methods are being supported by a web-server?
I tried net catting to the ports on some sites,but i didnt got the list of methods being supported by the web-servers .

how can i find this manually? because i do know that tools like accunteix and some other tools can do it,but i do want to do it manually so that i can get some knowledge about how it is being done ?

2)can you guys please explain me from your experience about
Arbitrary HTTP Methods ,i tought there were only 8 methods in http.i never heard about these,so i tought it would be nice to ask you guys..

3)is it possible to compromise a web-server with a UNKNOWN HTTP method or using a HTTP method other than the 8 traditional methods ?

4)first how a web-server supports the usage of a http methods other than the specified 8 methods in the rfc ?can any 1 explain me ?

5)Also i would like to know,how a web-site is explicitly checking for GET or POST methods?

Also how can we identify this manually?


Sorry guys,i think i had asked too much of questions,but as i don't have deep knowledge about these things,i tought it would be better to ask here, hope my doubts will be get cleared...
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Mon Aug 22, 2011 1:21 am

Re: How to find the various http methods supported by a web-server MANUALLY ?

#1 can be found in the black box testing and example section of the link you posted.  The OPTIONS method will need to be enabled on the server for it to reply back with the methods that are enabled.
Last edited by lorddicranius on Mon Aug 22, 2011 1:24 am, edited 1 time in total.
GSEC, eCPPT, Sec+
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Mon Aug 22, 2011 2:33 am

Re: How to find the various http methods supported by a web-server MANUALLY ?

  Code:
#1 can be found in the black box testing and example section of the link you posted.  The OPTIONS method will need to be enabled on the server for it to reply back with the methods that are enabled.


I tried net catting to the ports on some sites,but i didnt got the list of methods being supported by the web-servers ,
also it seems like you said it seems OPTIONS method are disabled on those servers,Also i had seen in some tools like accunteix are displaying what kind of methods are enabled/supported  on a web-server ,how can we find this manually sir ?

still looking for answers  :)
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Mon Aug 22, 2011 9:51 am

Re: How to find the various http methods supported by a web-server MANUALLY ?

I've never used Accunetix before, but it may be the result of crawling the website and logging HTTP methods found in the headers.  I've never used Accunetix before, but with Burp Suite I can filter down my results to parameterised requests and it'll show me the various HTTP methods used while crawling a website.

**Sidenote: I'm still new to web app security, something I'm actively studying :)
GSEC, eCPPT, Sec+
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Mon Aug 22, 2011 10:44 am

Re: How to find the various http methods supported by a web-server MANUALLY ?

  Code:
how can i find this manually? because i do know that tools like accunteix and some other tools can do it,but i do want to do it manually so that i can get some knowledge about how it is being done ?


If you know that Accunetix (or any other web vulnerability scanner) does it, why don't you capture the traffic or use a proxy to see all the request the tool is doing so you can learn how it works? This is a great way to learn.

  Code:
is it possible to compromise a web-server with a UNKNOWN HTTP method or using a HTTP method other than the 8 traditional methods ?


Unless there is a backdoor that is activated through that unknown method, no. Pen Testing is not magic.

  Code:
first how a web-server supports the usage of a http methods other than the specified 8 methods in the rfc ?can any 1 explain me ?


Vendors understand and implement RFCs in different ways.
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Mon Aug 22, 2011 11:13 am

Re: How to find the various http methods supported by a web-server MANUALLY ?

  Code:
  I've never used Accunetix before, but with Burp Suite I can filter down my results to parameterised requests and it'll show me the various HTTP methods used while crawling a website.


may be this is the one i need to try,but i dont know it would be possible to do it on a larger sites ?


  Code:
**Sidenote: I'm still new to web app security, something I'm actively studying Smiley


well cheers ,join me :)
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Mon Aug 22, 2011 11:45 am

Re: How to find the various http methods supported by a web-server MANUALLY ?

manoj9372 wrote:may be this is the one i need to try,but i dont know it would be possible to do it on a larger sites ?


As far as I know, the spider portion of Burp works no matter how large the site.  It may take longer to crawl, but it'll still work.  Here's how the spider portion of Burp works: http://portswigger.net/burp/spider.html
GSEC, eCPPT, Sec+
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Tue Aug 23, 2011 7:50 am

Re: How to find the various http methods supported by a web-server MANUALLY ?

a small tutorial because i have some (rare) spare time:

first we pick a target: 74.208.46.66 (resolve it for a small lol)

we telnet to the port that is used by the webserver (in this case 80):
  Code:
Trying 74.208.46.66...
Connected to 74.208.46.66.
Escape character is '^]'.

We type the following:

  Code:
HEAD / HTTP/1.0

After hitting enter two times we receive the reply:

  Code:
HTTP/1.1 200 OK
Date: Tue, 23 Aug 2011 12:46:32 GMT
Server: Apache
Last-Modified: Sun, 06 May 2007 07:41:03 GMT
ETag: "300000c4-1909-463d868f"
Accept-Ranges: bytes
Content-Length: 6409
Connection: close
Content-Type: text/html

Connection closed by foreign host.


Now we know its a webserver that is active (doh) and we check what options are available by connecting again and executing the options method:

  Code:
OPTIONS / HTTP/1.0


We receive the following output:

  Code:
HTTP/1.1 200 OK
Date: Tue, 23 Aug 2011 12:48:40 GMT
Server: Apache
Content-Length: 0
Allow: GET, HEAD, OPTIONS
Connection: close


Now we see the allowed methods by the server. Some to look for are trace and put (which indicates that there might be a webdav service active, which can be...well...handy ;)

Goodluck!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Tue Aug 23, 2011 5:26 pm

Re: How to find the various http methods supported by a web-server MANUALLY ?

You can also use these tools to play with:
HTTP Options: http://attacks.intern0t.net/htopt/
TRACE: http://attacks.intern0t.net/xstrace/


In short, "htopt" simply sends the "OPTIONS" header for you, and keep in mind that not all servers includes this feature (request / function) for an unknown reason.

The "xstrace" program / tool, acts as a proxy between you and the target, so you can perform TRACE requests and see the result without an intercepting proxy or another tool.
I'm an InterN0T'er
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Tue Aug 23, 2011 7:20 pm

Re: How to find the various http methods supported by a web-server MANUALLY ?

Keep in mind, also, that the OPTION header can lie. I never trust its output and always verify things manually. I've been lied to too many times to count. Just wanted to add that tidbit.
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Tue Aug 23, 2011 7:48 pm

Re: How to find the various http methods supported by a web-server MANUALLY ?

  Code:
You can also use these tools to play with:
HTTP Options: http://attacks.intern0t.net/htopt/
TRACE: http://attacks.intern0t.net/xstrace/


In short, "htopt" simply sends the "OPTIONS" header for you, and keep in mind that not all servers includes this feature (request / function) for an unknown reason.

The "xstrace" program / tool, acts as a proxy between you and the target, so you can perform TRACE requests and see the result without an intercepting proxy or another tool.


i have been actively following you maxe,i have been already trying those tools from intern0t,very simple to use....

and atlast i had find it maxe :)

but this is the only question for which i still couldn't find a firm answer for it

  Code:
5)Also i would like to know,how a web-site is explicitly checking for GET or POST methods?



Also how can we identify this manually?

or in other words

when we are sending a request with a "Y" HTTP method to the server  instead of "X" HTTP method expected by  the server,how a web-server will explicitly check for this ?

Also if the server allows a "Y" method instead of the "X" method(which is actually expected by the server) does it pose any serious threat to the web-server?






  Code:
Keep in mind, also, that the OPTION header can lie. I never trust its output and always verify things manually. I've been lied to too many times to count. Just wanted to add that tidbit.


Thanks for the information "Grendel",ill keep this in mind....
Last edited by manoj9372 on Tue Aug 23, 2011 8:04 pm, edited 1 time in total.
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Wed Aug 24, 2011 1:48 am

Re: How to find the various http methods supported by a web-server MANUALLY ?

Grendel wrote:Keep in mind, also, that the OPTION header can lie. I never trust its output and always verify things manually. I've been lied to too many times to count. Just wanted to add that tidbit.


very true, always check your results manually, if the checked method is not available you will probably receive a 501 not implemented message.
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed Aug 24, 2011 7:23 am

Re: How to find the various http methods supported by a web-server MANUALLY ?

Grendel wrote:Keep in mind, also, that the OPTION header can lie. I never trust its output and always verify things manually. I've been lied to too many times to count. Just wanted to add that tidbit.


:) <nods head in agreement>
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Wed Aug 24, 2011 10:21 am

Re: How to find the various http methods supported by a web-server MANUALLY ?

when we are sending a request with a "Y" HTTP method to the server  instead of "X" HTTP method expected by  the server,how a web-server will explicitly check for this ?

Also if the server allows a "Y" method instead of the "X" method(which is actually expected by the server) does it pose any serious threat to the web-server?


you're talking about HTTP verb tampering

http://jeremiahgrossman.blogspot.com/2008/06/what-you-need-to-know-about-http-verb.html

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software