nullenc0de · May 23, 2025 16:19
diff --git a/wrong-method-detection.yaml b/wrong-method-detection.yaml
 id: wrong-method-detection

 info:
  name: HTTP Method and Authentication Misconfiguration Detector
  author: yourmom
  severity: medium
  description: |
    Identifies endpoints rejecting GET requests with HTTP 405 errors and verifies if
    the allowed method (from Allow header) works without authentication.
  reference:
    - https://datatracker.ietf.org/doc/html/rfc7231#section-6.5.5
  tags: http,misconfiguration,methods,authentication,api
  classification:
    cwe-id: CWE-287
    cvss-metrics: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
  metadata:
    max-request: 2
    verified: true

 variables:
  default_method: "POST"

 http:
  - method: GET
    path:
      - "{{BaseURL}}"
    matchers-condition: or
    matchers:
      - type: status
        status:
          - 405
      - type: word
        part: body
        words:
          - "Method Not Allowed"
          - "Unsupported method"
          - "Allowed methods:"
          - "Method GET not supported"
        condition: or
      - type: regex
        part: body
        regex:
          - '(?i)"?(error|message)"?\s*:\s*".*method.*not.*allowed.*"'
          - '(?i)"?status"?\s*:\s*"405"'
    extractors:
      - type: regex
        name: allowed_method
        part: header
        group: 1
        regex:
          - '(?i)Allow:\s*(GET|POST|PUT|DELETE|HEAD|OPTIONS|PATCH|TRACE|CONNECT)(?:[,\s]+[A-Z]+)*'
        internal: true

  - raw:
      - |
        {{allowed_method | default_method}} {{BaseURL}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"placeholder": true}
    matchers-condition: and
    matchers:
      - type: status
        negative: true
        status:
          - 401
          - 403
          - 407
      - type: regex
        part: body
        negative: true
        regex:
          - '(?i)"?(error|message)"?\s*:\s*".*(auth|unauthorized|token|key|credential|permission|login).*"'
      - type: word
        part: header
        negative: true
        words:
          - "WWW-Authenticate"
          - "Bearer"
          - "OAuth"
	id: wrong-method-detection

	info:
	name: HTTP Method and Authentication Misconfiguration Detector
	author: yourmom
	severity: medium
	description: \|
	Identifies endpoints rejecting GET requests with HTTP 405 errors and verifies if
	the allowed method (from Allow header) works without authentication.
	reference:
	- https://datatracker.ietf.org/doc/html/rfc7231#section-6.5.5
	tags: http,misconfiguration,methods,authentication,api
	classification:
	cwe-id: CWE-287
	cvss-metrics: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
	cvss-score: 5.3
	metadata:
	max-request: 2
	verified: true

	variables:
	default_method: "POST"

	http:
	- method: GET
	path:
	- "{{BaseURL}}"
	matchers-condition: or
	matchers:
	- type: status
	status:
	- 405
	- type: word
	part: body
	words:
	- "Method Not Allowed"
	- "Unsupported method"
	- "Allowed methods:"
	- "Method GET not supported"
	condition: or
	- type: regex
	part: body
	regex:
	- '(?i)"?(error\|message)"?\s:\s".method.not.allowed."'
	- '(?i)"?status"?\s:\s"405"'
	extractors:
	- type: regex
	name: allowed_method
	part: header
	group: 1
	regex:
	- '(?i)Allow:\s(GET\|POST\|PUT\|DELETE\|HEAD\|OPTIONS\|PATCH\|TRACE\|CONNECT)(?:[,\s]+[A-Z]+)'
	internal: true

	- raw:
	- \|
	{{allowed_method \| default_method}} {{BaseURL}} HTTP/1.1
	Host: {{Hostname}}
	Content-Type: application/json

	{"placeholder": true}
	matchers-condition: and
	matchers:
	- type: status
	negative: true
	status:
	- 401
	- 403
	- 407
	- type: regex
	part: body
	negative: true
	regex:
	- '(?i)"?(error\|message)"?\s:\s".(auth\|unauthorized\|token\|key\|credential\|permission\|login)."'
	- type: word
	part: header
	negative: true
	words:
	- "WWW-Authenticate"
	- "Bearer"
	- "OAuth"