• caglararli@hotmail.com
  • 05386281520

Why does NMAP’s Http-Method-Tampering Mark a Server’s 405 Code as Vulnerable?

Çağlar Arlı      -    48 Views

Why does NMAP’s Http-Method-Tampering Mark a Server’s 405 Code as Vulnerable?

I recently tested a custom server with the http method tamper script from NMAP. It reported the server as being vulnerable with the following output:

nmap -p 8000 -sV --script http-method-tamper 192.168.68.63

| http-method-tamper:
|   VULNERABLE:
|   Authentication bypass by HTTP verb tampering
|     State: VULNERABLE (Exploitable)
|       This web server contains password protected resources vulnerable to authentication bypass
|       vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
|        common HTTP methods and in misconfigured .htaccess files.
|              
|     Extra information:
|      
|   URIs suspected to be vulnerable to HTTP verb tampering:
|     / [POST]
|  

The server only allows GET, HEAD, OPTIONS, PUT methods. It checks for these allowed HTTP verbs before doing any authentication/authorization check (i.e. 405 will show up before 401s or 403s). It's unclear to me why a 405 would be flagged as vulnerable as 405 doesn't seem like the wrong choice if someone issues a POST.