Using OWASP Mutillidae II, let's determine whether the application allows HTTP verbs beyond GET and POST.