Testing HTTP methods with Meth0dMan

Are you looking for a tool to test different HTTP verbs over URL / API endpoints ? Then the BurpSuite extension Meth0dMan is for you.

How to use ?

  1. Right click on the request you want to test and click on “Send to Meth0dMan”.

/burpsuite/meth0dman/image2.png

  1. The request is sent to Intruder. The HTTP verb and the URI endpoint is automatically highlighted.

/burpsuite/meth0dman/image3.png

  1. Select the Attack Type to be “Cluster bomb”.

/burpsuite/meth0dman/image4.png

  1. For the first Payload Set, enter the HTTP verbs.

/burpsuite/meth0dman/image5.png

  1. For the second, select the Payload type to be “Extension-generated” and select the payload generator as “Meth0dMan Payloads

/burpsuite/meth0dman/image6.png

  1. Make sure that Payload Encoding is unticked. If not, the URI endpoints (mostly slash /) would get encoded and will result in 400 Bad Request response from server.

/burpsuite/meth0dman/image7.png

Once the attack is completed, the extension would have tested all combinations of HTTP verbs on different permutations / endpoints gathered from the response.

/burpsuite/meth0dman/image8.png

Source code: https://github.com/portswigger/meth0d-man