5Tem
Why does NMAP’s Http-Method-Tampering Mark a Server’s 405 Code as Vulnerable?
I recently tested a custom server with the http method tamper script from NMAP. It reported the server as being vulnerable with the following output:
nmap -p 8000 -sV --script http-method-tamper 192.168.68.63
| http-method-tamper:
| VULNERABLE:
| Authentication bypass by HTTP verb tampering
| State: VULNERABLE (Exploitable)
| This web server contains password protected resources vulnerable to authentication bypass
| vulnerabilities via HTTP verb tampering. This is often found in web servers that only limit access to the
| common HTTP methods and in misconfigured .htaccess files.
|
| Extra information:
|
| URIs suspected to be vulnerable to HTTP verb tampering:
| / [POST]
|
The server only allows GET, HEAD, OPTIONS, PUT methods. It checks for these allowed HTTP verbs before doing any authentication/authorization check (i.e. 405 will show up before 401s or 403s). It's unclear to me why a 405 would be flagged as vulnerable as 405 doesn't seem like the wrong choice if someone issues a POST.
