PUT
, DELETE
, etc. The HTTP methods abuse is not aimed at gaining access to a specific page like verb tampering but more like what methods are accepted by the server and how can an attacker profit from those.OPTIONS
method can also be used to enumerate what methods are supported. This works if the OPTIONS
methods is allowed in the first place.PUT
methodPUT
method can be used to upload arbitrary files. Some directories have different rights, it can be useful to test the method on a wide range of directories.PUT
method also applies to CVE-2017-12615: When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the read-only initialization parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server..jsp
file and by uploading it to the target server.