Categories

Archives

Kali Linux, Penetration Testing

Multiple Ways to Detect HTTP Options

Hi Friends, today we will walk through various HTTP Protocol methods and the tools used to extract those available HTTP methods in a web server. As we are already aware that the HTTP protocol comprises of a number of methods that can be utilized to not only gather the information from the web server but can also perform specific actions on the web server. These techniques and methods are helpful for the web application developers in the deployment and testing stage of web applications.

GET and POST is the most well-known methods that are used to access and submit information provided by a web server, respectively. HTTP Protocol allows various other methods as well, like PUT, CONNECT, TRACE, HEAD, DELETE. These methods can be used for malicious purposes if the web server is left misconfigured and hence poses a major security risk for the web application, as this could allow an attacker to modify the files stored on the web server.

OPTIONS: The OPTIONS method is used to request the available HTTP methods on a web server.

GET: GET request is the most common and widely used methods for the websites. This method is used to retrieve the data from the web server for a specific resource. As the GET method only requests for the data and doesn’t modify the content of any resources, it’s considered to be safe.

POST: POST requests are used to send (or submit) the data to the web server so as to create or update a resource. The information sent is stored in the request body of the HTTP request and processed further. An example illustrating the same is “Contact us” form page on a website. When we fill a form and submit it, the input data is then stored in the response body of the request and sent across to the server.

PUT: The PUT method allows the end-user (client) to upload new files on the web server. An attacker can exploit it by uploading malicious files or by using the victim’s server as a file repository.

CONNECT: The CONNECT method could allow a client to use the web server as a proxy.

TRACE: This method echoes back to the client, the same string which has been sent across to the server, and is used mainly for debugging purposes.

HEAD: The HEAD method is almost similar to GET, however without the message-body in the response. In other words, if the HTTP request GET /products return a list of products, then the HEAD /products will trigger a similar HTTP request, however, won’t retrieve the list of products.

DELETE: This method enables a client to delete a file on the web server. An attacker can exploit it as a very simple and direct way to deface a web site or to perform a DoS attack.

Now let us use some tools to identify the HTTP methods enabled or supported by the web server

Metasploit

Metasploit Framework is a well-known platform for developing, testing, and executing exploits. It is an open source tool for performing various exploits against the target machines.

Metasploit has in-built auxiliary modules dedicated to scanning HTTP methods. Through the Metasploit framework command line (CLI), we can identify the HTTP Options available on the target URL as follows:

use auxiliary/scanner/http/options
set rhosts 192.168.1.109
set rport 80
exploit

cURL

cURL is a command line tool to get or send the data using the URL syntax and is compatible with various well-known protocols (HTTPS, FTP, SCP, LDAP, Telnet etc.) along with command line (CLI) options for performing various tasks (Eg: User authentication , FTP uploading , SSL connections etc). The cURL utility by default comes installed in most of the distributions. However if in case, cURL is not installed, then we can install the same via apt-get install curl command. For more details refer the below URL

Through the cURL command we can identify the HTTP Options available on the target URL as follows :

curl -v -X OPTIONS http://192.168.1.109

The screenshot displays the various types of allowed HTTP methods (GET, HEAD, POST, OPTIONS, TRACE), apart from other server-specific information (Server response, version details etc)

Nikto

Nikto is a Web server scanner that tests Web servers for dangerous files/CGIs, outdated server software and other issues. It performs generic and server types of specific checks.

Through the Nikto command we can identify the HTTP Options available on the target URL as follows :

nikto -h 192.168.1.109

The screenshot displays the various types of allowed HTTP methods (GET, HEAD, POST, OPTIONS, TRACE), apart from another detailed server specific information (Server response, version details etc)

Nmap

Nmap is a free and open-source security scanner, used to discover hosts and services on the network. This is another method of checking which HTTP methods are enabled by using an NMAP script called http-methods.nse, which can be obtained from https://nmap.org/nsedoc/scripts/http-methods.html .

Let us use NMAP command to enumerate all of the HTTP methods supported by a web server on the target URL as follows :

nmap --script http-methods --script-args http-method.test-all ='/192.168.1.109' 192.168.1.109

The screenshot displays the various types of allowed HTTP methods (GET, HEAD, POST, OPTIONS, TRACE) along with highlighting the potential risk methods (i.e TRACE) out of them.

Netcat

Netcat is a utility tool having the capability to write and read data across TCP and UDP network connections, along with features like in-built port scanning, network debugging and file transfer etc.

Through the Netcat command we can identify the HTTP Options available on the target URL as follows :

nc 192.168.1.109 80

Press enter and the following options appear in the command line. Enter the server details as follows (and as highlighted in red )

OPTIONS  http://192.168.1.109  / HTTP/1.0
host:192.168.1.109

The screenshot displays the various types of allowed HTTP methods (GET, HEAD, POST, OPTIONS, TRACE), apart from other server-specific information (Server response, version details etc)

 

Burpsuite

Burp Suite is a platform for performing various security testing for web applications, from initial mapping and analysis to identifying and exploiting application vulnerabilities.

As we are aware that the HTTP OPTIONS method provides us with the most effective way to discover the different methods allowed on an HTTP server. So, let us capture the URL request in Burpsuite GUI and change the HTTP method type in the Request section to OPTIONS, as seen below.

As shown, the RESPONSE from the web server not only displays the list of HTTP methods allowed, however also highlights the server version details (Eg: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL 1.0.0/k DAV/2 PHP/5.4.3)

Author: Ankur Sachdev is an Information Security consultant and researcher in the field of Network & WebApp Penetration Testing. Contact Here

6 thoughts on “Multiple Ways to Detect HTTP Options

  1. Hi,

    Thanks for the well written article.

    Looks like there is a typo :

    For POST method:It is written that

    “stored in the response body of the request and sent across to the server.”

    I think this should be :

    “stored in the body of the request and sent across to the server.”

    Thanks!

  2. Cool, yeah…found its enabled in my server, Gunicorn…Looking for a way to disable it…:-)

  3. hi.
    Thank for your post its really helpfull.
    Please tell me i need to test head access control bypass on nmap .
    what are the commande for that

  4. I have one question. While, you can list HTTP Options with using NC command, for some websites it is not possible to get the information with Nmap. What can be the reason? Thank you,

Comments are closed.