Today I will discuss on how to test the server misconfiguration issues like Banner Grabbing, HTTP methods, Server version details using Burp Suite (proxy tool).

HTTP offers a number of methods that can be used to perform actions on the web server. Many of these methods are designed to aid developers in deploying and testing HTTP applications. These HTTP methods can be used for malicious purposes if the web server is misconfigured.
Some of the methods like TRACE, HEAD, DELETE, PUT, DEBUG, PROPFIND can potentially pose a security risk for a web application, as they allow an attacker to modify the files stored on the web server.

1. Discover the Supported Methods
The OPTIONS HTTP method provides the tester with the most direct and effective way to discover the different methods allowed on a server.
Capture the request in burp suite and just change the method type.

 

Thus we can see almost all the methods are allowed on the server.

2. Exploiting PUT Method:

The PUT is used for uploading files on the server. But if it’s allowed pre-authentication, it can also lead to defacement of your web application.

Capture the request, change the method to “PUT” and append a file name “PutMethod.txt” as shown in below screenshot.

If the file is successfully uploaded on to the server, you’ll get 201 Created response as seen in above screenshot.

3. Exploiting DELETE Method:
DELETE method works same as PUT Method but is used to delete any file from the server.If enabled, an attacker can also delete the index page of the web application leading to denial of service to the end user.

If the file is successfully deleted, you’ll get 200 OK response as seen in the above screenshot.

4. Exploiting TRACE Method:

TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information. XST could be used as a method to steal user’s cookies via Cross Site Scripting even if the cookie has the “HttpOnly” flag set and/or exposes the user’s Authorization header.
Cookie attribute HttpOnly was used to protect cookie from being accessed by javascript.

Capture the request in Burp Suite, change the method to Trace. Please find below the modified request. You can also inject script in the request as shown below:

Thus the entire request along with the sensitive information like cookie details is received back in the response and attacker is able to steal cookie information. Also, script injected got executed.

Thank you for reading !! See you soon with the next update 🙂