Inspired by this post to the Dailydave mailing list by Dave Aitel, I thought of publishing this script I had written and used to find out what HTTP Methods a web directory accepts.

This script takes in two arguments, 1) the FQDN of the site you’re accessing, and 2) a text file of directory names. I like to use a mix of spidered directory names and a dictionary file, such as one of those used by OWASP DirBuster.

$ ./bruteoptions.py
./gethttpoptions.py <url> <list of directories>

$ ./bruteoptions.py tssci-security.com dirs
"tssci-security.com","/about/","200 OK","Apache/1.3.39 (Unix)","None"
"tssci-security.com","/upload/","200 OK","Apache/1.3.39 (Unix)","GET, HEAD, OPTIONS, TRACE"
"tssci-security.com","/projects/","200 OK","Apache/1.3.39 (Unix)","None"

You can also download this script directly.

#!/usr/bin/env python
from __future__ import with_statement
import httplib
import sys

usage = "./gethttpoptions.py <url> <list of directories>"

def make_conn(url, page):
    conn = httplib.HTTPConnection(url)
    conn.request("OPTIONS", page)
    return conn.getresponse()


def parse_response(url, page, response):
    code    = str(response.status) + ' ' + response.reason
    code    = code.strip()
    server  = response.getheader('Server')
    options = response.getheader('Allow')

    print """\"%s\",\"%s\",\"%s\",\"%s\",\"%s\"""" % (url, page, code, server, options)


def main():
    url = sys.argv[1]
    
    with open(sys.argv[2], 'rU') as infile: 
        for page in infile:
            page = page.strip()

            if page[0] != '/':
                page = '/' + page
            if page[-1] != '/':
                page = page + '/'

            try:
                http = make_conn(url, page)
                parse_response(url, page, http)
            except:
                return
        

if __name__ == "__main__":
    if len(sys.argv) < 3:
        print usage
        sys.exit(1)
    else:
        main()