2020-08-19 14:18:50 +00:00
id : put-method-enabled
2020-08-19 12:17:24 +00:00
info :
2022-04-21 21:16:41 +00:00
name : PUT Method Enabled
2020-08-19 12:17:24 +00:00
author : xElkomy
severity : high
2023-10-14 11:27:55 +00:00
description : The HTTP PUT method is normally used to upload data that is saved on the server at a user-supplied URL. If enabled, an attacker may be able to place arbitrary, and potentially malicious, content into the application. Depending on the server's configuration, this may lead to compromise of other users (by uploading client-executable scripts), compromise of the server (by uploading server-executable code), or other attacks.
2022-04-22 10:38:41 +00:00
reference :
- https://portswigger.net/kb/issues/00100900_http-put-method-is-enabled
2023-04-28 08:11:21 +00:00
metadata :
max-request : 2
2023-10-14 11:27:55 +00:00
tags : injection,misconfig,intrusive
2020-08-19 12:17:24 +00:00
2023-04-27 04:28:59 +00:00
http :
2020-08-19 12:17:24 +00:00
- raw :
- |
2020-08-19 14:18:50 +00:00
PUT /testing-put.txt HTTP/1.1
2021-09-30 16:52:05 +00:00
Host : {{Hostname}}
2020-08-19 12:17:24 +00:00
Content-Type : text/plain
2020-08-19 14:33:55 +00:00
2021-05-04 11:02:53 +00:00
{{randstr}}
2020-08-19 14:18:50 +00:00
- |
GET /testing-put.txt HTTP/1.1
2021-09-30 16:52:05 +00:00
Host : {{Hostname}}
2020-08-19 12:17:24 +00:00
Content-Type : text/plain
2020-08-19 14:18:50 +00:00
2020-08-19 12:17:24 +00:00
matchers :
2020-11-19 00:36:57 +00:00
- type : dsl
dsl :
2021-05-04 11:02:53 +00:00
- 'contains(body_2, "{{randstr}}")'
2023-11-27 09:19:41 +00:00
# digest: 4a0a0047304502201225cd1ff5d00fe33b532ce76cb75892ff7404812e8b2200698aee8c588941f3022100cc2d7d188e1aeca53f859da902da03c54cfb846a1b8f4e0c6f4b1c49fd6b7a30:922c64590222798bb761d5b6d8e72950
