Testing HTTP methods with Meth0dMan

Are you looking for a tool to test different HTTP verbs over URL / API endpoints ? Then the BurpSuite extension Meth0dMan is for you.

How to use ?

  1. Right click on the request you want to test and click on “Send to Meth0dMan”.


  1. The request is sent to Intruder. The HTTP verb and the URI endpoint is automatically highlighted.


  1. Select the Attack Type to be “Cluster bomb”.


  1. For the first Payload Set, enter the HTTP verbs.


  1. For the second, select the Payload type to be “Extension-generated” and select the payload generator as “Meth0dMan Payloads


  1. Make sure that Payload Encoding is unticked. If not, the URI endpoints (mostly slash /) would get encoded and will result in 400 Bad Request response from server.


Once the attack is completed, the extension would have tested all combinations of HTTP verbs on different permutations / endpoints gathered from the response.


Source code: https://github.com/portswigger/meth0d-man