Have you ever manually tested the Glassfish Authentication Bypass (CVE Details)? What about manually testing it on 40+ servers while dealing with indecisive people patching systems on the fly? I had that wonderful opportunity while running tests for a federal agency.
After all the headache and bureaucracy, I wrote a quick python program just to test for that specific case of verb tampering.
Time passed…and I switched jobs. During the interim, I spent a lot of time thinking about web verbs and what I could use them for as a penetration tester. Web verb tampering is on OWASP’s list but doesn’t seem to get the same amount of attention that the different types of injections command.
What this lead to was Verbinator. Verbinator tests web verbs and cases. Lots of web verbs. I found all of the RFC specified verbs plus some others used mostly by Microsoft. All of the RFC numbers and verbs are in the source if you’re interested. As a bonus, you can also cram some random text in for the verb because web servers absolutely LOVE unexpected input. While reading return data is barrels of fun, I also added a differential ability to show if the response changed when the web verb case was altered.
If you have any questions, comments, or ideas for improving the program, please let me know.
This is a direct collaboration with Doofenshmirtz Evil Incorporated all work is subject to platypus attack.
Source just rename it to .py verbinator