The HTTP has many numbers of methods that used for performing actions on the server. Most of them used for the production system, but many of them designed for testing of the HTTP application. That leads to high threat because of the system misconfiguration. Everyone knows the GET and POST they are the most common HTTP methods. As of today standards, there are eight methods available.
The most of them are potentially harmful if it not appropriately configured. These methods are much powerful as they can use for modify files and save on web server, in worst case scenarios it can use for stealing credentials and valuable information.
This can be checked by running the command using netcat
$ nc www.victim.com 80
OPTIONS / HTTP/1.1
Host: www.victim.com
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 31 Oct 2006 08:00:29 GMT
Connection: close
Allow: GET, HEAD, POST, TRACE, OPTIONS
Content-Length: 0
The vulnerability can be exploited using cross-site scripting. This can be leaveraged using two methods:-
This is usually done using TRACE.
The vulnerability can be fixed by:-