> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/enumeration/trick-0255.md).

# Data Discovery Via HTTP Method Fuzzing

***

Iterate through common HTTP methods (GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH, TRACE) on a target endpoint (e.g., `/`). Use a tool like Burp Proxy to send requests with each method and observe the responses. Web servers and applications may handle different methods unexpectedly, sometimes revealing hidden content or different functionality, as seen when a flag was revealed specifically in the response to a `PUT` request on the target endpoint. Analyze the responses for unusual status codes or content changes.

Alternatively, command-line tools like `curl` can be used to test specific methods. For example, to check supported methods using `OPTIONS`:

```bash
curl -X OPTIONS http://www.example.com/
```

To attempt sending data with `PUT`:

```bash
curl -v -X PUT http://example.com/file.txt -d 'data'
```

Or to attempt deleting a resource with `DELETE`:

```bash
curl -v -X DELETE http://example.com/file.txt
```

The PUT method is used to modify or create a resource at a particular Uniform Resource Identifier (URI), essentially replacing the resource entirely at that URI. It creates a new resource or replaces a representation of the target resource with the request payload. In contrast, POST is generally used to send data to a specific URI for processing, often resulting in the creation of a new resource under that URI (a child resource). HTTP PATCH requests are used for applying partial modifications to a resource.

When testing methods, observing status codes is crucial. A `405 Method Not Allowed` status code indicates that the server understands the request method, but the target resource does not support that method. This response is sent when the requested method is known by the server but has been disabled and cannot be used for the requested resource. Analyzing which methods return 405 and which return other codes (like 200 OK or 403 Forbidden) can reveal accepted methods or different handling logic. Often, a 405 response will include an `Allow` header listing the methods that *are* supported for the target resource.

A common vulnerability related to method testing is when the HTTP PUT method is enabled on the server. This can sometimes allow an attacker to upload arbitrary content to the server. To test for this, send an HTTP PUT request to a file on the server. If the server responds with `200 OK` or `201 Created`, then the PUT method is enabled, and you can then attempt to upload arbitrary content using this method, potentially leading to file upload vulnerabilities.
