nuclei-templates/http/misconfiguration/put-method-enabled.yaml

35 lines
1.0 KiB
YAML
Raw Normal View History

2020-08-19 14:18:50 +00:00
id: put-method-enabled
2020-08-19 12:17:24 +00:00
info:
name: PUT Method Enabled
2020-08-19 12:17:24 +00:00
author: xElkomy
severity: high
description: The HTTP PUT method is normally used to upload data that is saved on the server at a user-supplied URL. If enabled, an attacker may be able to place arbitrary, and potentially malicious, content into
the application. Depending on the server's configuration, this may lead to compromise of other users (by uploading client-executable scripts), compromise of the server (by uploading server-executable code), or
other attacks.
reference:
- https://portswigger.net/kb/issues/00100900_http-put-method-is-enabled
tags: injection,misconfig
metadata:
max-request: 2
2020-08-19 12:17:24 +00:00
http:
2020-08-19 12:17:24 +00:00
- raw:
- |
2020-08-19 14:18:50 +00:00
PUT /testing-put.txt HTTP/1.1
Host: {{Hostname}}
2020-08-19 12:17:24 +00:00
Content-Type: text/plain
2020-08-19 14:33:55 +00:00
2021-05-04 11:02:53 +00:00
{{randstr}}
2020-08-19 14:18:50 +00:00
- |
GET /testing-put.txt HTTP/1.1
Host: {{Hostname}}
2020-08-19 12:17:24 +00:00
Content-Type: text/plain
2020-08-19 14:18:50 +00:00
2021-03-11 14:17:22 +00:00
req-condition: true
2020-08-19 12:17:24 +00:00
matchers:
- type: dsl
dsl:
2021-05-04 11:02:53 +00:00
- 'contains(body_2, "{{randstr}}")'