HTTP Dangerous Methods Enabled - P1

How I got full control over the subdomain

This is going to be a short one.

Once again I was enumerating the subdomains of the target using my script: VulnHunter, Check out its Features. It includes CVE detection, URL and parameter extraction, fuzzing for sensitive files/directories.

I found a subdomain: subdomain-ipeas.target.com, It had directory listing enabled. I spidered the site but there were no sensitive directories or files. I tried host header injection to escalate it to Web cache deception, but it wasn't vulnerable.

On these kinds of subdomains I generally check the HTTP methods allowed to send requests. This is done by sending a request with the "OPTIONS" method as follows:

As it can be seen that by sending a request with "OPTIONS" method returns all the methods allowed for this host. In this case, the following methods were allowed: GET, POST, DELETE, MOVE and more Even though the "PUT" method was not listed, I still tried to send a PUT request and adding my own HTML file on the website:

On visiting subdomain-ipeas.target.com/utkarsh.html I got:

🤩

Similarly I could create the index.html file and so if a malicious hacker could host something malicious on the landing page(index.html) of the subdomain it is a huge hit to the company's reputation. But I quickly restored the original landing page so as to save the company's reputation. Also, as the "DELETE" method was enabled, it was possible to delete all the directories and file present there.

Impact: 1. Defacing and Reputational Damage 2. Stored XSS 3. Malware Distribution and Phishing 4. Complete takeover and DOS

That's all for now... Keep reading ⏭ 💯