A recent email by Dave Aitel to the Dailydave mailing list on Pen testing web servers was an inspiration to publishing a short, but simple script. I like to keep things simple when I write scripts, taking the Unix philosophy of doing one thing and doing it well.

bruteoptions.py takes two arguments: 1) a FQDN of a known site, and 2) a file with directory names. The script runs through and performs an OPTIONS HTTP Request for each directory name in the file. In the past, I’ve used a combination of directories I’ve identified while browsing/spidering a website through Burp, and the other partly a dictionary list taken from a tool like OWASP DirBuster.

Using the tool is simple, just specify the site FQDN to scan and give it a file as a second argument.

$ ./bruteoptions.py
./gethttpoptions.py <url> <list of directories>

$ ./bruteoptions.py tssci-security.com dirs
“tssci-security.com”,”/about/”,”200 OK”,”Apache/1.3.39 (Unix)”,”None”
“tssci-security.com”,”/upload/”,”200 OK”,”Apache/1.3.39 (Unix)”,”GET, HEAD, OPTIONS, TRACE”
“tssci-security.com”,”/projects/”,”200 OK”,”Apache/1.3.39 (Unix)”,”None”

An interesting thing I’ve just noticed, is the lack of allowed methods returned for a virtual directory, versus an actual directory when run against my site. If anyone cares to comment about this, I’d be interested to know what is the cause.

You can download the script from the bruteoptions.py project page.