DAVTest is a Perl-based tool that automates the testing of WebDAV-enabled servers to identify upload vulnerabilities, executable file type handling, and directory manipulation capabilities. It methodically tests which file types can be uploaded and executed, making it essential for WebDAV security assessments.
Installation
# On Debian/Ubuntu
sudo apt-get install davtest
# From source
git clone https://github.com/Graph-X/davtest.git
cd davtest
chmod +x davtest.pl
./davtest.pl -h
Basic Syntax
davtest [OPTIONS] -url <target_url>
Core Options
| Option | Description |
|---|
-url <URL> | Target WebDAV server URL (required) |
-directory <dir> | Create/use specific directory for tests |
-auth <user:pass> | Basic HTTP authentication |
-move | Test MOVE method capabilities |
-copy | Test COPY method capabilities |
-put | Test PUT file upload (default) |
-sendfile <file> | Upload specific file instead of test files |
-cleanup | Remove test files after completion |
-quiet | Minimal output |
-debug | Verbose debug output |
-version | Display version information |
Testing WebDAV Upload Capabilities
# Basic WebDAV vulnerability scan
davtest -url http://target.com/webdav/
# Test with authentication
davtest -url http://target.com/webdav/ -auth admin:password
# Verbose output for detailed results
davtest -url http://target.com/webdav/ -debug
# Test specific directory
davtest -url http://target.com/webdav/ -directory /test_dir
File Type Testing Strategy
| File Type | Extension | Executable Risk | Common Usage |
|---|
| Active Server Pages | .asp, .aspx | High | IIS servers |
| PHP | .php, .php3, .php4, .php5 | High | Linux servers |
| Perl Scripts | .pl, .cgi | High | Web servers |
| JSP | .jsp | High | Java servers |
| Compiled Executables | .exe, .com | Medium | Windows |
| Shell Scripts | .sh, .bat | High | Bash/batch execution |
| Text/Data | .txt, .jpg, .png | Low | Non-executable |
Advanced Exploitation Techniques
Upload Shell with Extension Bypass
# Test null-byte bypass (.php%00.txt)
davtest -url http://target.com/webdav/ -sendfile shell.php%00.txt
# Test double extension (.php.jpg)
davtest -url http://target.com/webdav/ -sendfile shell.php.jpg
# Test alternative extensions
davtest -url http://target.com/webdav/ -sendfile shell.php5
Directory Manipulation
# Create directory and test uploads
davtest -url http://target.com/webdav/ -directory /uploads
# Test MKCOL (make collection) capability
davtest -url http://target.com/webdav/
# DAVTest will attempt MKCOL operations automatically
MOVE and COPY Operations
# Test MOVE method for file relocation
davtest -url http://target.com/webdav/ -move
# Test COPY method for file duplication
davtest -url http://target.com/webdav/ -copy
# Combine with upload to test moving files to executable locations
davtest -url http://target.com/webdav/ -move -sendfile webshell.txt
Understanding DAVTest Output
Success Indicators
/usr/bin/davtest.pl:
========================================
PROPFIND SUCCEED
MKCOL SUCCEED
PUT text SUCCEED
PUT php SUCCEED
PUT jsp SUCCEED
PUT exe FAIL
PUT aspx FAIL
| Result | Meaning | Risk |
|---|
SUCCEED | Operation allowed | High vulnerability |
FAIL | Operation blocked | Lower risk |
FORBIDDEN | Explicitly denied | Protected |
TIMEOUT | Server not responding | Check connectivity |
Test File Locations
# DAVTest creates temporary test files like:
# davtest.txt
# davtest.php
# davtest.jsp
# davtest.aspx
# davtest.cgi
# davtest.html
Practical Exploitation Workflow
Step 1: Enumerate WebDAV Methods
# Test what WebDAV methods are enabled
davtest -url http://target.com/webdav/
Step 2: Identify Executable File Types
# DAVTest automatically tests common executable extensions
# Results show which can be uploaded and accessed
davtest -url http://target.com/webdav/ -debug
Step 3: Upload Web Shell
# If .php files succeed, upload a PHP shell
davtest -url http://target.com/webdav/ -sendfile shell.php
# If .txt is allowed but .php blocked, try null-byte trick
davtest -url http://target.com/webdav/ -sendfile shell.php.txt
Step 4: Access Uploaded Shell
# Navigate to uploaded file
curl http://target.com/webdav/shell.php
# Or in browser
http://target.com/webdav/shell.php
Common Vulnerable Configurations
Microsoft IIS with WebDAV
# IIS often allows ASP/ASPX upload and execution
davtest -url http://target.com/uploads/ -auth domain\user:pass
# Look for SUCCEED on .aspx files
Apache with WebDAV Module
# Apache mod_dav may allow PHP execution
davtest -url http://target.com/dav/
# Test for PHP execution capability
SharePoint WebDAV
# SharePoint sometimes enables WebDAV for document libraries
davtest -url http://sharepoint.target.com/sites/Documents/
# Check for document upload and execution
Defense and Mitigation
| Defense | Implementation |
|---|
| Disable WebDAV | Remove or disable mod_dav module |
| Whitelist extensions | Only allow safe file types (.pdf, .doc, .txt) |
| Store outside webroot | Upload to directory not web-accessible |
| Disable execution | Use .htaccess or web.config to prevent script execution |
| Authentication | Require strong auth on WebDAV endpoints |
| Validate uploads | Check MIME types and file signatures |
Securing WebDAV Endpoints
Apache Configuration
# Disable WebDAV module
sudo a2dismod dav
sudo a2dismod dav_fs
sudo systemctl restart apache2
Nginx Configuration
# Block WebDAV methods
location / {
limit_except GET POST {
deny all;
}
}
IIS Configuration
# Disable WebDAV in IIS
Remove-WindowsFeature WebDAV-Publishing
Troubleshooting
Connection Refused
# Check if WebDAV is actually enabled
curl -v -X PROPFIND http://target.com/webdav/
# Look for "WebDAV" in response headers
Authentication Failures
# Verify credentials before running davtest
davtest -url http://target.com/webdav/ -auth user:pass -debug
No Executable Types Allowed
# Try alternative locations or nested directories
davtest -url http://target.com/webdav/subdir/ -directory /test
# Check for path traversal opportunities
davtest -url http://target.com/webdav/../cgi-bin/
# Use davtest results to guide MSF modules
# exploit/windows/fileformat modules
# exploit/multi/handler for reverse shells
Best Practices
- Always get authorization before testing WebDAV servers
- Document all findings in detailed reports
- Test in isolated lab environments first
- Run cleanup to remove test files:
davtest -url http://target.com/ -cleanup
- Combine davtest with other tools (curl, nmap WebDAV detection)
- Test multiple file types systematically
- Check file access restrictions after upload
- Verify execution context (system user, privileges)
| Tool | Purpose |
|---|
curl | Manual WebDAV testing with custom methods |
nmap | Detect WebDAV with http-webdav-scan |
Burp Suite | Intercept and manipulate WebDAV requests |
nikto | Web server vulnerability scanning |
metasploit | Exploit WebDAV vulnerabilities |
Resources
- OWASP WebDAV Security
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CVE databases for WebDAV RCE vulnerabilities
- RFC 4918: HTTP Extensions for Web Distributed Authoring and Versioning
