Categories: default, safe
Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. It tests those methods not mentioned in the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is if not in the range 400 to 600. If the response falls under that range then it is compared to the response from a randomly generated method.
In this script, "potentially risky" methods are anything except GET, HEAD, POST, and OPTIONS. If the script reports potentially risky methods, they may not all be security risks, but you should check to make sure. This page lists the dangers of some common methods:
The list of supported methods comes from the contents of the Allow and Public header fields. In verbose mode, a list of all methods is printed, followed by the list of potentially risky methods. Without verbose mode, only the potentially risky methods are shown.
The path to request. Defaults to
If set true tries all the unsafe methods as well.
If defined, do a request using each method individually and show the response code. Use of this argument can make this script unsafe; for example
DELETE /is possible. All methods received through options are tested with generic requests. Saved status lines are shown for rest.
See the documentation for the slaxml library.
- http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
nmap --script http-methods <target> nmap --script http-methods --script-args http-methods.url-path='/website' <target>
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS
License: Same as Nmap--See https://nmap.org/book/man-legal.html