LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

Understanding and exploiting HTTP for bug bounty

3 years ago 183
BOOK THIS SPACE FOR AD
ARTICLE AD

Whenever we want to make a request there are several methods to do it
based on what you want to do.

Here is the list.

GETHEADPOSTPUTDELETECONNECTOPTIONSTRACEPATCH

In the example above I have used GET.

GET HTTP/1.1 200 OK

Note: HTTP/1.1 is the HTTP version used in the request and the 200 response means that everything went right.

Now let’s explain all methods.

1) GET

Probably the most used method.

GET is used almost for everything (except for logins usually)

For example when you search something on the web you are 99% probably using GET.

2) POST

As we mentioned above GET is not used for login because whenever we use GET the parameter are passed in the search bar.

search

search

A simple search in a site using GET

But when you log into your bank account or in your e-mail sensitive information such username, password cannot be passed in the search bar.

So post is the same as GET except that all the URL parameter are not shown.

3) HEAD

This method is used when you want to show the headers in an HTTP request.

These are simple HTTP headers.

Server: nginx/1.19.0
Date: Wed, 05 May 2021 12:53:39 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Content-Encoding: gzip

4) PUT

Probably the most dangerous HTTP methods.

PUT is used when you want to upload files on the server.

This method should be disabled.

Note: If the file is uploaded successfully the server will respond with 201 success (File uploaded)

5) DELETE

Another dangerous method.

This is used when you want to delete files on the server.

Note: If the file is deleted successfully the server will respond with 202 success (accepted)

6) Connect

Connect is used when you want to create a tunnel between you and server.

CONNECT server.example.com:80 HTTP/1.1

7) TRACE

This method in the past was used for debugging purpose.

When you use TRACE the server will respond with the exact request that you made, and it will prompt you to download a file that contain the saved request.

If enabled this method can be used to exploit XST (cross site tracing).

However, TRACE cannot be used in the modern browsers for security (apart Internet Explorer).

8) OPTIONS

OPTIONS is used when you want to know which HTTP methods are active on the server.

9) PATCH

PATCH is used when you want to modify something in your server.

For example the content of a file.

Read Entire Article
  3. Understanding and exploiting HTTP for bug bounty

Related

How I got my first Hall of Fame - Bug Bounty

How I got my first Hall of Fame - Bug Bounty

Command Injection: Mastering Exploitation Techniques with a Comprehensive Cheatsheet

Command Injection: Mastering Exploitation Techniques with a Comprehensive Cheatsheet

$3 Billion Crypto Exchange XT Allegedly Hacked

$3 Billion Crypto Exchange XT Allegedly Hacked

Hackers Steal $17 Million from Uganda’s Central Bank

Hackers Steal $17 Million from Uganda’s Central Bank

Small Bugs, Big Bounties: A Hacker’s Guide to Quick Wins

Small Bugs, Big Bounties: A Hacker’s Guide to Quick Wins

Critical Vulnerability Discovered in Zabbix Network Monitoring Tool

Critical Vulnerability Discovered in Zabbix Network Monitoring Tool

Trending

1. Sabarmati Report
2. Hunter Biden
3. Yeontan
4. Odisha Police Constable Admit Card
5. Skoda Kylaq
6. Shalini Passi
7. Suraksha Diagnostic IPO GMP
8. Filmfare OTT Awards winners
9. Chelsea
10. Vikrant Massey

Popular

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved