Re: HTTP allowed methods

["sun sadm" <sunsadm () gmail com>]

On 9/21/06, Alcides <alcides.hercules () gmail com> wrote:
> Hi list,
> Lately, I've conducted a nikto scan for our corporate IP addresses.
> I found a few potential holes like :
> + Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
> + HTTP method 'PUT' method may allow clients to save files on the web server.
> + HTTP method 'DELETE' may allow clients to remove files on the web server.
> Now I wish to verify the above mensioned.
> How can I go about?
> I have tried grabbing banner using netcat and a file containing "GET /
> HTTP /1.0"
> How can I use netcat for PUT or DELETE?
> And what other utilities can be used for this?
> Thanking all.

Hi Alcides
I dont know howto do this with raw connection (netcat). Maybe you find
out by reading more about HTTP protocol
http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol

Personnly I think on your webserver is WebDav enabled. You can try out
with WebDav client.

You can the PUT, DELETE and so on with "curl" (most Linux Distribution
provide a package).

For example:  curl -v -X PUT ...

Nico

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------