Fuzzing HTTP methods is quite easy and, at the same time, quite helpful. Let's try to fuzz the HTTP verbs on a simple web application using Wfuzz. Fuzzing HTTP request methods can be done by following these steps:
- Execute the following command in the Terminal to get started with Wfuzz:
wfuzz -z list,PUT-POST-HEAD-OPTIONS-TRACE-GET -X FUZZ <url>
- The following screenshot shows the output of the preceding command:
The -z option is used to input the payload. In this case, we used a list (-z <list name>) of common HTTP request methods (GET, POST, HEAD, OPTIONS, TRACE, and PUT).
The -X option is used to provide the HTTP request method to be used by the fuzzer. If the -X option is not provided, the fuzzer will use the HTTP GET request method for fuzzing by default.
Now, let's see how we can fuzz HTTP verbs using ffuf.