- by x32x01 ||
Most web developers focus only on GET and POST requests, but web servers often support additional HTTP methods like PUT, DELETE, PATCH, and sometimes custom methods.
If these extra methods are left enabled without proper security, attackers could exploit them to upload, modify, or delete data directly. Understanding and controlling all available HTTP methods is key to secure your applications.
Here’s a quick look at the methods often ignored:
Attackers often use the OPTIONS method to see what’s available on a web server:
Sample output:
This simple check tells attackers which methods they can try to exploit.
These examples show why unsecured methods are dangerous. Always use them in testing or labs, never on live servers without permission.
1. Uploading a File with PUT
If the uploaded file is accessible, attackers could gain server control.
2. Deleting Content with DELETE
This could remove important files or data from your application.
Nginx:
Even if your site seems secure, unused HTTP methods can be a hidden backdoor for attackers. Always audit your server, disable unnecessary methods, and enforce strong authentication.
Protect your site before attackers find the weak points!
If these extra methods are left enabled without proper security, attackers could exploit them to upload, modify, or delete data directly. Understanding and controlling all available HTTP methods is key to secure your applications.
Commonly Overlooked HTTP Methods
Here’s a quick look at the methods often ignored:PUT
- Uploads or replaces a resource on the server.
- Risk: Uploading malicious files to gain server access.
DELETE
- Removes a specific resource.
- Risk: Deleting critical files or application data.
PATCH
- Partially modifies an existing resource.
- Risk: Changing configuration files or stored content.
TRACE
- Echoes the received request back to the client.
- Risk: Can lead to Cross-Site Tracing (XST) attacks.
OPTIONS
- Reveals which HTTP methods are supported by the server.
- Risk: Used by attackers for reconnaissance and planning exploits.
How Attackers Discover Hidden Methods
Attackers often use the OPTIONS method to see what’s available on a web server: Code:
curl -X OPTIONS https://target.com -iSample output:
Code:
HTTP/1.1 200 OK
Allow: GET, POST, OPTIONS, PUT, DELETE
Exploitation Examples (Educational)
These examples show why unsecured methods are dangerous. Always use them in testing or labs, never on live servers without permission.1. Uploading a File with PUT
Code:
curl -X PUT -d @shell.php https://target.com/uploads/shell.php2. Deleting Content with DELETE
Code:
curl -X DELETE https://target.com/uploads/file.txt🛠 Why These Vulnerabilities Happen
- Default server configurations may leave extra methods enabled.
- Improper API security - developers may forget to protect all endpoints.
- Lack of testing - unused methods are rarely checked with security scans.
Prevention & Best Practices
1. Disable Unused HTTP Methods
Apache: Code:
<LimitExcept GET POST>
Deny from all
</LimitExcept>Nginx:
Code:
if ($request_method !~ ^(GET|POST)$ ) {
return 405;
}2. Enforce Authentication
- Require authentication for all sensitive methods (PUT, DELETE, PATCH).
3. Use a Web Application Firewall (WAF)
- Blocks suspicious or unauthorized HTTP requests automatically.
4. Regular Security Testing
- Run automated scanners and manual checks for all HTTP methods.
- Include these tests in your CI/CD pipeline for continuous security.
Key Takeaway
Even if your site seems secure, unused HTTP methods can be a hidden backdoor for attackers. Always audit your server, disable unnecessary methods, and enforce strong authentication.Protect your site before attackers find the weak points!
Last edited: