HTTP Cookbook: HTTP Methods

When you are attacking web applications, you will be dealing almost exclusively with the most commonly used methods: GET and POST. There are some important differences between these methods which you need to be aware of, and which can affect an application’s security if overlooked.

GET Method

The GET method is designed for retrieval of resources. It can be used to send parameters to the requested resource in the URL query string. This enables users to bookmark a URL for a dynamic resource that can be reused by themselves or other users to retrieve the equivalent resource on a subsequent occasion (as in a bookmarked search query). URLs are displayed on-screen, and are logged in various places, such as the browser history and the web server’s access logs.

POST Method

The  POST method is designed for performing actions. With this method, request parameters can be sent both in the URL query string and in the body of the message. Although the URL can still be bookmarked, any parameters sent in the message body will be excluded from the bookmark. Browsers do not automatically reissue POST requests made by users, because these might result in an action being performed more than once.

Some Other Methods

HEAD — This functions in the same way as a GET request except that the server should not return a message body in its response. The server should return the same headers that it would have returned to the corresponding GET request. Hence, this method can be used for checking whether a resource is present before making a GET request for it.

TRACE — This method is designed for diagnostic purposes. The server should return in the response body the exact contents of the request message that it received. This can be used to detect the effect of any proxy servers between the client and server that may manipulate the request. It can also sometimes be used as part of an attack against other application users.

OPTIONS — This method asks the server to report the HTTP methods that are available for a particular resource. The server will typically return a response containing an Allow header that lists the available methods.

PUT — This method attempts to upload the specified resource to the server, using the content contained in the body of the request. If this method is enabled, then you may be able to leverage it to attack the application; for example, by uploading an arbitrary script and executing this on the server.

Many other HTTP methods exist that are not directly relevant to attacking web applications.