id: put-method-enabled

info:
  name: PUT Method Enabled
  author: xElkomy
  severity: high
  description: The HTTP PUT method is normally used to upload data that is saved on the server at a user-supplied URL. If enabled, an attacker may be able to place arbitrary, and potentially malicious, content into
    the application. Depending on the server's configuration, this may lead to compromise of other users (by uploading client-executable scripts), compromise of the server (by uploading server-executable code), or
    other attacks.
  reference:
    - https://portswigger.net/kb/issues/00100900_http-put-method-is-enabled
  tags: injection

requests:
  - raw:
      - |
        PUT /testing-put.txt HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/plain

        {{randstr}}

      - |
        GET /testing-put.txt HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/plain

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "{{randstr}}")'

# Enhanced by mp on 2022/04/20