8

How can I identify the different HTTP methods supported by a web server, like OPTIONS, TRACE, etc.?

I have tried the nc command on Linux. But it doesn't work. It doesn't show me the HTTP methods supported, some other HTTP headers are returned along with the requested HTML page. Is there another solution?

Peter Mortensen
  • 877
  • 5
  • 10
Anandu M Das
  • 1,981
  • 14
  • 31
  • 46

4 Answers4

8

As there are only few methods (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE and CONNECT), you can use a script and nc to send a request to all allowed methods and parse the results:

for method in OPTIONS GET HEAD POST PUT DELETE TRACE CONNECT ; do 
    echo -e "\n\nTrying $method\n\n" 
    echo -e "$method / HTTP/1.1\nHost: server-hostname\nConnection: close\n\n" | nc server-hostname 80 | head 
    sleep 2
done

HTTP errors 400, 403, 405 and 406 generally are the types returned when trying to use a not implemented method.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • 11
    Is that trying to `DELETE` the path `/`, just to find out whether it works? – Volker Siegel Oct 13 '14 at 21:08
  • 1
    Yes, that's the thing I am feared about. What if `DELETE` is supported? Will it delete it? – Anandu M Das Oct 14 '14 at 05:40
  • 2
    Getting an error does *not* mean that the method is not implemented... For example, if I get a 400 or 403 for `POST`, I will not think "Oh `POST` must not be supported", I will think "Duh, what data should I put in the HTTP content?" – Jean Hominal Oct 14 '14 at 08:17
  • 2
    When a webserver supports the DELETE method on the domain root without any form of authentication, the admin is obviously clueless. Unfortunately many lawyers, prosecutors, judges and jurys are equally clueless, so getting a subpoena for computer sabotage isn't completely implausible. Keep in mind that PUT can be equally destructive. – Philipp Oct 14 '14 at 09:11
  • 2
    Shouldn't this be checking for the error code `501 Not Implemented`? – Ismael Miguel Oct 14 '14 at 09:22
  • You should look for `501` too, but as long as I can tell, the majority of servers don't display `501 Not Implemented`, but `405 Method not allowed` instead. – ThoriumBR Oct 14 '14 at 12:14
  • Also, the list of HTTP methods is maintained in the [HTTP Method Registry](http://www.iana.org/assignments/http-methods/http-methods.xhtml). There are 38 methods in total, most of them defined by WebDAV. – Jean Hominal Oct 14 '14 at 12:29
8

Per RFC2616, the OPTIONS method should return the supported methods. Keyword is should since this isn't always the case. As the prior posts have already pointed out each method needs to be tested separately to be sure.

Community
  • 1
anon
  • 96
  • 1
  • 3
    What if the `OPTIONS` method is not among the supported methods? – Brandon Oct 13 '14 at 20:55
  • 3
    @Brandon: If the OPTIONS method isn't supported that means the server doesn't support enumerating available methods in the standard way. In other word, you're screwed anyway. A server that doesn't support the standard's prescribed way of doing things may still be capable of doing it through a non standard way, but a generic HTTP client wouldn't be able to venture a guess of what that way will be, since the server isn't standard compliant. You'll have to make do with poke and see. – Lie Ryan Oct 14 '14 at 09:51
5

The only way to identify the methods supported by a web server is to try each one and evaluate the response to determine if it indicates the method is supported or not. You can't simply query to ask which methods it supports; it won't give you a list.

That said, there are better tools than nc. Nmap and metasploit both support HTTP method scanning and essentially automate the work for you.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
2

There are circumstances where a HTTP server will return a list of supported methods for a given resource in its Allow response header, according to RFC 7231 (the new RFC for HTTP 1.1 semantics):

  • First in the response to an OPTIONS request, either on a specific resource path, or on the special * path (which would mainly describe the capabilities of the server);
  • Second, if a method which is known, but not supported by the server on a given resource is tried, the server can respond with a 405 Method Not Allowed status code; in that case, it must give the list of allowed methods in the Allow response header;
  • For any other HTTP request, the origin server is allowed to return a list of supported methods in the Allow response header;

But what if the server does not cooperate? E.g. you have tried an OPTIONS * request, various GET requests, and the server never returns a list of allowed methods in an Allow header? Or what if the server replies, but you suspect that it is lying?

Then you do not know, and you will have to live with it. What you will do will depend on your goal:

  • If you are simply trying to use the target system, you should do the cautious thing by assuming that only GET is supported, and obtain more documentation about how to use the system;
  • If you are doing penetration testing, then you can test all the known verbs, test some less known ones (such as PATCH) or even invent some of your own; more generally, part of the test would be throwing garbage at the system to see how it reacts;

However, think about why you want to know the list of supported verbs - because without additional data, knowing which verbs are used is close to useless (e.g. I know that https://accounts.google.com/AddSession accepts the POST verb - what good does simply knowing the verb do to me if I do not know what data should be in, in what format, etc.?)

Community
  • 1
Jean Hominal
  • 186
  • 7