Testing HTTP methods with Meth0dMan

Are you looking for a tool to test different HTTP verbs over URL / API endpoints ? Then the BurpSuite extension Meth0dMan is for you.

  1. Right click on the request you want to test and click on “Send to Meth0dMan”.

Send to Meth0dman

  1. The request is sent to Intruder. The HTTP verb and the URI endpoint is automatically highlighted.

Request to Intruder

  1. Select the Attack Type to be “Cluster bomb”.

Cluster Bomb

  1. For the first Payload Set, enter the HTTP verbs.

HTTP verbs

  1. For the second, select the Payload type to be “Extension-generated” and select the payload generator as “Meth0dMan Payloads

Meth0dman payloads

  1. Make sure that Payload Encoding is unticked. If not, the URI endpoints (mostly slash /) would get encoded and will result in 400 Bad Request response from server.

Payload Encoding

Once the attack is completed, the extension would have tested all combinations of HTTP verbs on different permutations / endpoints gathered from the response.

Final Results

Source code: https://github.com/portswigger/meth0d-man