Web servers support different HTTP methods according to their configuration and software, and some of them could be dangerous under certain conditions. Pentesters need a way of quickly listing the available methods. The NSE script http-methods allows them not only to list these potentially-dangerous methods but also to test them.
This recipe shows you how to use Nmap to enumerate all of the HTTP methods supported by a web server.
Open a terminal and enter the following command:
$ nmap -p80,443 --script http-methods scanme.nmap.org
The results are shown for every web server detected on ports 80 or 443:
Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.11s latency). PORT STATE SERVICE 80/tcp open http |_http-methods: GET HEAD POST OPTIONS 443/tcp closed https
The argument -p80,443 --script http-methods makes Nmap launch the http-methods script if a web server is found ports 80 or 443 (-p80,443). The NSE script hhttp-methods was submitted by Bernd Stroessenreuther, and it uses the HTTP method OPTIONS to try to list all of the supported methods by a web server.
OPTIONS is implemented in web servers to inform clients of its supported methods. Remember that this method does not take into consideration configuration or firewall rules, and having a method listed by OPTIONS does not necessarily mean that it is accessible to you.
To individually check the status code response of the methods returned by OPTIONS, use the script argument http-methods.retest:
# nmap -p80,443 --script http-methods --script-args http-methods.retest scanme.nmap.org Nmap scan report for scanme.nmap.org (74.207.244.221) Host is up (0.14s latency). PORT STATE SERVICE 80/tcp open http | http-methods: GET HEAD POST OPTIONS | GET / -> HTTP/1.1 200 OK | | HEAD / -> HTTP/1.1 200 OK | | POST / -> HTTP/1.1 200 OK | |_OPTIONS / -> HTTP/1.1 200 OK 443/tcp closed https
By default, the script http-methods uses the root folder as the base path ( / ). If you wish to set a different base path, set the argument http-methods.url-path:
# nmap -p80,443 --script http-methods --script-args http-methods.url-path=/mypath/ scanme.nmap.org
The HTTP methods TRACE, CONNECT, PUT, and DELETE might present a security risk, and they need to be tested thoroughly if supported by a web server or application.
TRACE makes applications susceptible to Cross Site Tracing (XST) attacks and could lead to attackers accessing cookies marked as httpOnly. The CONNECT method might allow the web server to be used as an unauthorized web proxy. The methods PUT and DELETE have the ability to change the contents of a folder, and this could obviously be abused if the permissions are not set properly.
You can learn more about common risks associated with each method at http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29.
There are some packet filtering products that block requests that use Nmap's default HTTP User Agent. You can use a different HTTP User Agent by setting the argument http.useragent:
$ nmap -p80 --script http-methods --script-args http.useragent="Mozilla 42" <target>
Some web servers allow the encapsulation of more than one HTTP request in a single packet. This may speed up the execution of an NSE HTTP script, and it is recommended that it is used, if the web server supports it. The HTTP library, by default, tries to pipeline 40 requests and auto adjusts the number of requests according to the traffic conditions, based on the Keep-Alive header.
$ nmap -p80 --script http-methods --script-args http.pipeline=25 <target>
Additionally, you can use the argument http.max-pipeline to set the maximum number of HTTP requests to be added to the pipeline. If the script parameter http.pipeline is set, this argument will be ignored:
$nmap -p80 --script http-methods --script-args http.max-pipeline=10 <target>
- The Detecting possible XST vulnerabilities recipe
- The Discovering interesting files and directories on various web servers recipe
- The Detecting web application firewalls recipe
- The Abusing mod_userdir to enumerate user accounts recipe
- The Testing default credentials in web applications recipe
- The Detecting web servers vulnerable to slowloris denial of service attacks recipe