PUT Method Enabled
ID: put-method-enabled
Severity: high
Author: xElkomy
Tags: injection,misconfig,intrusive
Description
Section titled “Description”The HTTP PUT method is normally used to upload data that is saved on the server at a user-supplied URL. If enabled, an attacker may be able to place arbitrary, and potentially malicious, content into the application. Depending on the server’s configuration, this may lead to compromise of other users (by uploading client-executable scripts), compromise of the server (by uploading server-executable code), or other attacks.
YAML Source
Section titled “YAML Source”id: put-method-enabled
info: name: PUT Method Enabled author: xElkomy severity: high description: The HTTP PUT method is normally used to upload data that is saved on the server at a user-supplied URL. If enabled, an attacker may be able to place arbitrary, and potentially malicious, content into the application. Depending on the server's configuration, this may lead to compromise of other users (by uploading client-executable scripts), compromise of the server (by uploading server-executable code), or other attacks. reference: - https://portswigger.net/kb/issues/00100900_http-put-method-is-enabled metadata: max-request: 2 tags: injection,misconfig,intrusive
http: - raw: - | PUT /testing-put.txt HTTP/1.1 Host: {{Hostname}} Content-Type: text/plain
{{randstr}} - | GET /testing-put.txt HTTP/1.1 Host: {{Hostname}} Content-Type: text/plain
matchers: - type: dsl dsl: - 'contains(body_2, "{{randstr}}")'# digest: 4a0a00473045022100d0c90949f6355a15052c1a899a767261ac0da16ade7f6d65f5d8077cc76dab160220565d57490e54a5c98341992102167d9aa551a0f9fb18a74e1b077b77d393f926:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/misconfiguration/put-method-enabled.yaml"