HTTP Method Tester

Discover which HTTP methods a server accepts and identify dangerous methods like TRACE (XST), PUT, DELETE, and CONNECT that could be exploited.

What is HTTP Method Testing?

Web servers respond to different HTTP methods (verbs) like GET, POST, PUT, DELETE, and TRACE. While GET and POST are standard, methods like TRACE can enable Cross-Site Tracing (XST) attacks, and unrestricted PUT/DELETE can allow unauthorized file manipulation. Testing which methods are enabled helps identify potential attack vectors.

Why is TRACE Dangerous?

The TRACE method echoes the full request back to the client, including headers like cookies and authorization tokens. Combined with XSS, an attacker can steal HttpOnly cookies that are normally inaccessible to JavaScript — this is known as a Cross-Site Tracing (XST) attack.

Best Practices

  • Disable TRACE and CONNECT on all production web servers
  • Restrict PUT and DELETE to authenticated API endpoints only
  • Use the Allow header to explicitly declare supported methods
  • Return 405 Method Not Allowed for unsupported methods