This plugin finds which HTTP methods are enabled for a URI. Two configurable parameters exist:

  • execOneTime
  • reportDavOnly

If “execOneTime” is set to True, then only the methods in the webroot are enumerated. If “reportDavOnly” is set to True, this plugin will only report the enabled method list if DAV methods have been found. The plugin will try to use the OPTIONS method to enumerate all available methods, if that fails, a manual enumeration is done.

Plugin type



Name Type Default Value Description Help
execOneTime boolean True Execute plugin only one time Generally the methods allowed for a URL are configured system wide, so executing this plugin only once is the faster choice. The most accurate choice is to run it against every URL.
reportDavOnly boolean True Only report findings if uncommon methods are found No detailed help available


For more information about this plugin and the associated tests, there’s always the source code to understand exactly what’s under the hood:
github-logoPlugin source code
Unittest source code


This plugin has no dependencies.