Top Ways to Exploit Verb Tempering Vulnerability

You all are very much aware of HTTP protocol and its services. HTTP is considered to authorize intermediate network elements to develop communications between clients and servers. HTTP is an application layer protocol designed within the framework of the Internet protocol suite.

List of Valid HTTP request Methods

1. GET: It is basically a method used for just receiving some data from the server or specific resource. This method requests are used only to read data and not for alteration and also may return cached data, the requests remain in the browser history.
2. Post: This method make request to send data to the server or resource. Its requests cannot be bookmarked more over requests have no limitations on data length. The parameters are not saved in browser history.
3. Head: The HEAD method is used to query only for information about a document, not for the document itself. HEAD is much faster than GET, as a much smaller amount of data is transferred.
4. Put: PUT involves to upload a file or completely replace whatever is available at the given URL with the client defined URL. Attacker took advantage of this method.
5. Delete: Through delete action a client or attacker get chance to remove file from server or can lead cascade and rollback of several transactions or message which can interrupt the communication.
6. Connect: Establishes a tunnel to provide secure connection and communication between client and server for examples HTTP proxy and SSL encryptions.
7. Options: The OPTIONS returns the HTTP methods that the server supports for the specified URL. It is used to describe the communication options for the target resource.
8. Trace: This method simply come back to the client whatever string has been sent to the server, and is used mainly for debugging purposes.

In this article we are going to perform http verb tampering and try to find out which method is allowed in host server.

LETS START!!!!

Boot up your kali Linux and turn on terminal to identify the running verbs in host IP. I will perform same task with different techniques.

  Metasploit  

Now Type msfconsole on terminal to load metasploit framework and use following module to identify supported options.

This module use to Display available HTTP options for each system.

msf > use auxiliary/scanner/http/options

msf auxiliary(options) >set rhosts 192.168.1.43

msf auxiliary(options) >set rport 80

msf auxiliary(options) >exploit

Look over highlighted part in screenshot that is showing which methods are allowed under HTTP (GET HEAD POST OPTIONS TRACE).

  Curl  

Through you can identify the running services on target IP. Type following command to make curl run.

curl -v -X OPTIONS 192.168.1.43

From screenshot it is confirm that curl is working properly by dumping same result as above. The highlighted part is showing which methods are allowed under HTTP (GET HEAD POST OPTIONS TRACE).

  Nikto  

It another tool to perform same function and try to analysis allowed method for HTTP. Execute the following command on terminal once again to scan target IP.

nikto -h 192.168.1.43

Pretty good!!! Now perceive towards screenshot the result is exactly same as above HTTP (GET HEAD POST OPTIONS TRACE).

  Nmap  

Nmap script finds out what options are supported by an HTTP server by sending an OPTIONS request.

nmap –script http-methods –script-args http-method.test-all=’/192.168.1.43’ 192.168.1.43

Superb!!! Not only it dumps the allowed method under HTTP (GET HEAD POST OPTIONS TRACE CONNECT) but also shown the potentially risky methods i.e. TRACE and CONNECT

  Netcat  

Try to connect with victim through netcat this will also demonstrate the victim and inform about the allowed methods.

nc 192.168.1.43 80

Hence result from all Five techniques is around same we have got that (GET HEAD POST OPTIONS TRACE) are some verb allow by HTTP.