- by x32x01 ||
Most web developers only focus on common HTTP methods like GET and POST, but web servers often support more than that - such as PUT, DELETE, PATCH, or even custom methods.
If these methods are unintentionally left enabled without proper authentication, attackers can exploit them to modify, delete, or upload data directly.
> Example: Uploading a malicious file to gain remote access.
2. DELETE - Deletes a specific resource.
> Example: Removing critical files or data.
3. PATCH - Partially modifies an existing resource.
> Example: Altering configuration files or stored data.
4. TRACE - Echoes back the received request.
> Example: Can lead to Cross-Site Tracing (XST) attacks.
5. OPTIONS - Reveals which HTTP methods are allowed for a given URL.
> Example: Used for reconnaissance.
Sample output:
HTTP/1.1 200 OK
Allow: GET, POST, OPTIONS, PUT, DELETE
If the file is publicly accessible, the attacker can run it to gain server control.
2. Deleting Content with DELETE
This can remove important data or resources from the application.
Improper API security - developers forget to secure all endpoints.
Lack of security testing for unused HTTP methods.
Disable unused HTTP methods in your web server config:
Enforce authentication for all sensitive methods.
Implement a Web Application Firewall (WAF) to block suspicious requests.
Regularly test your application with security scanners and manual checks.
Key Takeaway
Even if you think your site is secure, unused HTTP methods can be the backdoor attackers are waiting for. Always audit and lock down your server’s allowed methods.
If these methods are unintentionally left enabled without proper authentication, attackers can exploit them to modify, delete, or upload data directly.
Commonly Overlooked HTTP Methods
1. PUT - Allows uploading or replacing a resource on the server.> Example: Uploading a malicious file to gain remote access.
2. DELETE - Deletes a specific resource.
> Example: Removing critical files or data.
3. PATCH - Partially modifies an existing resource.
> Example: Altering configuration files or stored data.
4. TRACE - Echoes back the received request.
> Example: Can lead to Cross-Site Tracing (XST) attacks.
5. OPTIONS - Reveals which HTTP methods are allowed for a given URL.
> Example: Used for reconnaissance.
How Attackers Discover Hidden Methods
Attackers can use the OPTIONS method to check what methods are available:curl -X OPTIONS https://target.com -iSample output:
HTTP/1.1 200 OK
Allow: GET, POST, OPTIONS, PUT, DELETE
Exploitation Examples
1. Uploading a File with PUTcurl -X PUT -d @shell.php https://target.com/uploads/shell.phpIf the file is publicly accessible, the attacker can run it to gain server control.
2. Deleting Content with DELETE
curl -X DELETE https://target.com/uploads/file.txtThis can remove important data or resources from the application.
Why This Happens
Default server configurations may enable extra methods.Improper API security - developers forget to secure all endpoints.
Lack of security testing for unused HTTP methods.
Prevention & Best Practices
Disable unused HTTP methods in your web server config: Code:
Apache:
<LimitExcept GET POST>
Deny from all
</LimitExcept>
Nginx:
if ($request_method !~ ^(GET|POST)$ ) {
return 405;
}Key Takeaway
Even if you think your site is secure, unused HTTP methods can be the backdoor attackers are waiting for. Always audit and lock down your server’s allowed methods.