Testing HTTP Methods for Web Application Security

Testing-HTTP-Methods-for-Web-Application-Security

In the world of web security, understanding HTTP methods and how to test them is crucial. Different HTTP methods like GET, POST, OPTIONS, TRACE, DELETE, and PUT, among others, are used to interact with resources on a web server. Testing these methods can help identify vulnerabilities in web applications and ensure that the server is correctly handling requests.
This article will explore the various tools and techniques used to test HTTP methods, including Nikto, Nmap, Curl, Netcat, and Burp Suite. By understanding how to leverage these tools, you can better assess your server’s security posture.

What Are HTTP Methods?

HTTP methods (also known as HTTP verbs) are part of the HTTP protocol, which governs communication between web clients (like browsers) and web servers. Each method has a specific purpose, and the most commonly used ones include:

  • GET: Retrieves data from the server.
  • POST: Submits data to the server.
  • OPTIONS: Retrieves the allowed HTTP methods for a resource.
  • HEAD: Retrieves the headers of a resource, without the body.
  • PUT: Updates or creates a resource on the server.
  • DELETE: Deletes a resource from the server.
  • TRACE: Echoes back the received request, often used for diagnostic purposes.

When testing web applications, it’s essential to ensure that these methods are appropriately configured and secured. Some HTTP methods can be abused by attackers to perform unauthorized actions, making it important to test for their presence and misconfigurations.

Tools for Testing HTTP Methods

Several security tools allow you to test HTTP methods to see which ones are allowed or misconfigured. Here’s a breakdown of how to use each tool for HTTP method testing.

1. Nikto

Nikto is a widely-used web server scanner that can help identify security vulnerabilities, including issues related to HTTP methods. It performs tests for various HTTP methods and provides a report on the allowed methods on the target server.

Syntax:

$ nikto -h <Target>

For example, to scan a target, use the following command:

$ nikto -h http://10.1.1.1/open/

 
Nikto-Testing-HTTP-Methods

Nikto will check which HTTP methods are enabled on the target server, such as GET, POST, PUT, DELETE, and OPTIONS, and report them accordingly. It will also check for other vulnerabilities, such as outdated software, insecure HTTP headers, and more.

2. Nmap

Nmap is a powerful network scanning tool that can also be used to check which HTTP methods are allowed on a web server. Nmap provides a script (http-methods) that helps identify enabled HTTP methods by sending requests with various methods and analyzing the server’s response.

Syntax:

$ nmap --script http-methods <target>

For example:

$ nmap --script http-methods 10.1.1.1

Nmap-Testing-HTTP-Methods

You can also specify a particular path or endpoint for more targeted testing:

$ nmap --script http-methods --script-args http-methods.url-path='/DVWA/login.php' 10.1.1.1

Nmap-Testing-HTTP-Methods-2

This will run the script against the /DVWA/login.php path on the target server, allowing you to determine which HTTP methods are enabled for that specific resource.

3. Curl

Curl is a command-line tool for transferring data with URLs. It is useful for manually sending HTTP requests and testing different HTTP methods. You can use Curl to send specific HTTP methods to a server and analyze the server’s response.

Syntax:

curl -v -X <Method name> <Target>

For example, to send an OPTIONS request:

curl -v -X OPTIONS http://10.1.1.1/open/

curl-Testing-HTTP-Methods

Curl will return the headers, including the Allow header, which lists the allowed HTTP methods for the resource.

4. Netcat (nc)

Netcat, often called the “Swiss Army knife” of networking, can be used to send raw HTTP requests and analyze the server’s response. It’s a great tool for low-level testing of HTTP methods and other requests.

Example:

$ nc 192.168.148.139 80
OPTIONS /dav/ HTTP/1.1
Host: 192.168.148.139

After entering the request, press Enter twice to send the command. You will receive the HTTP response, which may include a Allow header listing the supported methods.
Example response:

HTTP/1.1 200 OK
...
Allow: OPTIONS, GET, HEAD, POST, DELETE, TRACE, PROPFIND, PROPPATCH, COPY, MOVE, LOCK, UNLOCK

nc-Testing-HTTP-Methods

The Allow header in the response reveals all the HTTP methods that the server supports for the requested resource.

5. Burp Suite

Burp Suite is a popular web vulnerability scanner and proxy tool for web application security testing. One of its useful features is the Burp Repeater, which allows you to capture and modify HTTP requests, making it easy to test different HTTP methods.

Steps to Test HTTP Methods Using Burp Suite:

  1. Capture a request in Burp Suite’s Proxy.
  2. Right-click the captured request and send it to Burp Repeater.
  3. In Burp Repeater, change the HTTP method to OPTIONS or any other method you want to test.
  4. Click Send.

Example:

OPTIONS /open/ HTTP/1.1

burpSuite-Testing-HTTP-Methods

Burp Suite will display the response, which should include the Allow header listing the supported methods for the resource.

TRACE Method
The TRACE HTTP method is used for diagnostic purposes. It returns the exact contents of the HTTP request in the response, which can be useful for debugging. However, it can also pose a security risk, as attackers could exploit it to gain information about the request headers, including cookies or other sensitive data.

burpsuite-Testing-HTTP-Methods-2

When testing for the TRACE method, it’s essential to ensure that the server is not misconfigured to allow it, as this could lead to potential information leakage or cross-site tracing (XST) attacks.

Conclusion

Testing HTTP methods is a vital step in web application security. By using tools like Nikto, Nmap, Curl, Netcat, and Burp Suite, you can determine which HTTP methods are enabled on a server and assess whether they are configured securely. Understanding the allowed methods for a resource helps identify potential vulnerabilities, such as improper HTTP method usage or misconfigurations that could lead to unauthorized access.

Always ensure that unnecessary HTTP methods are disabled, and restrict access to sensitive resources using appropriate authentication and authorization controls. Regular testing and auditing of HTTP methods are essential for maintaining a secure web application environment.

Related Posts