Howdy Readers,
During my random testing for my personal project toolkit for web application assessment, I found a very simple and very interesting vulnerability that allows me to easily pwn my target due to a HTTP method misconfiguration. The target has an HTTP PUT method-enabled vulnerability, and it was detected by Nuclei scan since one of the tools for my project toolkit is Nuclei from ProjectDiscovery.
What is the HTTP PUT method enabled?
HTTP PUT method allows clients to upload data to the server, often used for creating or modifying resources. If this method is enabled on a server or web application without proper restrictions or authentication, it can become a significant security vulnerability. Unauthorized users could potentially upload malicious files, overwrite existing files, or cause other forms of disruption.
So long story short. during my testing, I was able to upload a test HTML and text file for PoC, and it also allows me to overwrite the index file of the vulnerable target (easy deface).
