Skip to main content

WebDAV (Web Distributed Authoring and Versioning) Pentesting

Default Port: 80, 443

WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that facilitates collaborative editing and management of files stored on web servers. It allows users to remotely manage files over the Internet, including creating, reading, writing, and deleting files on a web server.

WebDAV operates on top of the HTTP protocol, utilizing methods like PROPFIND, GET, PUT, DELETE, COPY, MOVE, and MKCOL to perform file operations. It provides a standardized way for clients to interact with remote web servers, enabling seamless file management.

Connect

Connect Using WebDAV Clients

Various WebDAV clients, such as Windows Explorer, macOS Finder, and third-party software like Cyberduck or WinSCP, can be used to connect to WebDAV-enabled servers. Simply enter the server URL and provide authentication credentials to establish a connection.

Connect Using Command Line

You can also connect to a WebDAV server using command-line tools like cURL or cadaver:

curl -u username:password -X PROPFIND http://webdav-server-url/

Recon

Identifying WebDAV Server

To identify if a server supports WebDAV, you can send a PROPFIND request and check the response:

curl -X PROPFIND http://webdav-server-url/

Enumeration

Enumerating Files and Directories

You can enumerate files and directories on a WebDAV server using the PROPFIND method:

curl -X PROPFIND http://webdav-server-url/

Enumerating WebDAV Methods

Nmap can be used to identify supported WebDAV methods:

nmap -p 80,443 --script http-methods <target-ip>

Attack Vectors

Unauthorized Access

If WebDAV permissions are misconfigured, attackers may gain unauthorized access to sensitive files or directories stored on the server. Exploiting weak credentials or default configurations is a common attack vector.

File Manipulation

Attackers may upload malicious files or modify existing files on the WebDAV server to execute arbitrary code or deface web pages. This can lead to remote code execution (RCE) or other security breaches.

Denial of Service (DoS)

Flooding a WebDAV server with excessive requests can overload its resources and cause denial of service (DoS) to legitimate users. This can be achieved through HTTP flooding or other volumetric attacks.

Post-Exploitation

Exploiting Misconfigurations

After gaining access to a WebDAV server, attackers may exploit misconfigurations to escalate privileges, access sensitive data, or pivot to other systems within the network. Common misconfigurations include weak authentication, directory traversal, and insecure file permissions.

Data Exfiltration

Attackers may exfiltrate sensitive data from a compromised WebDAV server by downloading files or transferring them to an external location. This data can be used for blackmail, espionage, or further attacks against the organization.

Persistence

Attackers may establish persistence on a compromised WebDAV server by creating backdoors, modifying system configurations, or installing malware. This allows them to maintain access to the server and continue malicious activities undetected.