cloud1
cloud2
cloud3
cloud4
cloud5
cloud6
← Back to annotator catalog
HTTP method anomaly signal illustration
Annotator method

HTTP method anomaly

Unusual or unexpected HTTP methods observed for the target endpoints.

Attack family · Verb abuse and method probing Phase · Reconnaissance and workflow manipulation Risk · Medium
How It Works Recent Real Samples

What This Annotator Watches

This explanation is derived from the live annotator implementation, not hand-waved catalog copy.
Focus
  • Unexpected HTTP verbs for the target surface
  • Method switching that looks unlike normal browsing
  • Administrative or probing verbs used against ordinary pages
Logic
  • The annotator compares the observed verb against expected web usage patterns.
  • It is useful around 405, 403, and admin-like endpoints.
  • Strength comes from pairing method oddity with path, status, and velocity.
Attack Family
Verb abuse and method probing
Phase · Reconnaissance and workflow manipulation Risk · Medium
Unexpected methods expose assumptions in routers, middleware, caches, and application handlers. An attacker can learn a surprising amount just by using the wrong verb in the right place.
Damage Patterns
  • Method abuse can reveal hidden handlers, bypass weak route logic, or trigger unusual state transitions.
  • It is also a common low-cost way to fingerprint frameworks and administrative surfaces.
Incident Lore
  • A lot of awkward security bugs looked harmless until someone discovered that one verb was routed or authorized differently from another.
  • Method oddity is often one of the first signs that the client is testing behavior, not consuming content.
How To Read It
Interpret this as a request-intent clue: the client is using a verb the page probably did not expect.
Defender Takeaway
Interpret this as workflow pressure. Someone is asking the application to behave outside its happy path.
Catalog Definition
Flags requests using HTTP methods that are atypical for the application or for specific endpoints (e.g., unexpected verbs, method switching across retries, or methods inconsistent with normal browsing). This can reflect probing, misuse attempts, or misconfigured clients. Interpret with endpoint intent (browser page vs API vs upload) and response patterns (405/403/400).

10 Most Recent Real Samples

Weekly cached from live annotated access events so the catalog stays fast.
Week
2026W16
Lookback
30 days
Total matched
1103
Latest sample
Apr 13, 2026 • 00:40
Top rules
method:webdav_verb · 6 method:trace_or_connect · 2 method:http2_preface · 1
Top requester orgs
Demenin B.V · 6 Censys Inc · 2 Techoff SRV Limited · 2
Severity mix
6 · 7 8 · 2 10 · 1
Method mix
PROPFIND · 6 CONNECT · 2 PRI · 1 \X16\X03\X01\X00 · 1
PROPFIND 403 6
Apr 13, 2026 • 00:40
/
WebDAV verb observed: PROPFIND
IP 46.151.178.13 Subnet 46.151.178.0/24 Org Demenin B.V Country Ukraine Rule method:webdav_verb
PROPFIND 403 6
Apr 13, 2026 • 00:14
/
WebDAV verb observed: PROPFIND
IP 46.151.178.13 Subnet 46.151.178.0/24 Org Demenin B.V Country Ukraine Rule method:webdav_verb
PRI 400 6
Apr 12, 2026 • 23:00
*
HTTP/2 preface-like request line
IP 66.132.172.203 Subnet 66.132.172.0/24 Org Censys Inc Country United States Rule method:http2_preface
\X16\X03\X01\X00 400 10
Apr 12, 2026 • 23:00
/
Non-RFC HTTP method token
IP 66.132.172.203 Subnet 66.132.172.0/24 Org Censys Inc Country United States Rule method:non_rfc_token
PROPFIND 403 6
Apr 12, 2026 • 22:58
/
WebDAV verb observed: PROPFIND
IP 46.151.178.13 Subnet 46.151.178.0/24 Org Demenin B.V Country Ukraine Rule method:webdav_verb
PROPFIND 403 6
Apr 12, 2026 • 22:56
/
WebDAV verb observed: PROPFIND
IP 46.151.178.13 Subnet 46.151.178.0/24 Org Demenin B.V Country Ukraine Rule method:webdav_verb
CONNECT 400 8
Apr 12, 2026 • 22:37
dmarket.com:443
Disallowed method: CONNECT
IP 2.57.122.103 Subnet 2.57.122.0/24 Org Techoff SRV Limited Country The Netherlands Rule method:trace_or_connect
CONNECT 400 8
Apr 12, 2026 • 22:37
dmarket.com:443
Disallowed method: CONNECT
IP 2.57.122.103 Subnet 2.57.122.0/24 Org Techoff SRV Limited Country The Netherlands Rule method:trace_or_connect
PROPFIND 403 6
Apr 12, 2026 • 21:48
/
WebDAV verb observed: PROPFIND
IP 46.151.178.13 Subnet 46.151.178.0/24 Org Demenin B.V Country Ukraine Rule method:webdav_verb
PROPFIND 403 6
Apr 12, 2026 • 21:37
/
WebDAV verb observed: PROPFIND
IP 46.151.178.13 Subnet 46.151.178.0/24 Org Demenin B.V Country Ukraine Rule method:webdav_verb