cloud1
cloud2
cloud3
cloud4
cloud5
cloud6
← Back to annotator catalog
HTTP method anomaly signal illustration
Annotator method

HTTP method anomaly

Unusual or unexpected HTTP methods observed for the target endpoints.

Attack family · Verb abuse and method probing Phase · Reconnaissance and workflow manipulation Risk · Medium
How It Works Recent Real Samples

What This Annotator Watches

This explanation is derived from the live annotator implementation, not hand-waved catalog copy.
Focus
  • Unexpected HTTP verbs for the target surface
  • Method switching that looks unlike normal browsing
  • Administrative or probing verbs used against ordinary pages
Logic
  • The annotator compares the observed verb against expected web usage patterns.
  • It is useful around 405, 403, and admin-like endpoints.
  • Strength comes from pairing method oddity with path, status, and velocity.
Attack Family
Verb abuse and method probing
Phase · Reconnaissance and workflow manipulation Risk · Medium
Unexpected methods expose assumptions in routers, middleware, caches, and application handlers. An attacker can learn a surprising amount just by using the wrong verb in the right place.
Damage Patterns
  • Method abuse can reveal hidden handlers, bypass weak route logic, or trigger unusual state transitions.
  • It is also a common low-cost way to fingerprint frameworks and administrative surfaces.
Incident Lore
  • A lot of awkward security bugs looked harmless until someone discovered that one verb was routed or authorized differently from another.
  • Method oddity is often one of the first signs that the client is testing behavior, not consuming content.
How To Read It
Interpret this as a request-intent clue: the client is using a verb the page probably did not expect.
Defender Takeaway
Interpret this as workflow pressure. Someone is asking the application to behave outside its happy path.
Catalog Definition
Flags requests using HTTP methods that are atypical for the application or for specific endpoints (e.g., unexpected verbs, method switching across retries, or methods inconsistent with normal browsing). This can reflect probing, misuse attempts, or misconfigured clients. Interpret with endpoint intent (browser page vs API vs upload) and response patterns (405/403/400).

10 Most Recent Real Samples

Weekly cached from live annotated access events so the catalog stays fast.
Week
2026W15
Lookback
30 days
Total matched
766
Latest sample
Apr 06, 2026 • 00:51
Top rules
method:webdav_verb · 6 method:non_rfc_token · 2 method:trace_or_connect · 2
Top requester orgs
Demenin B.V · 6 Pfcloud UG · 2 PIN DC · 1
Severity mix
6 · 6 10 · 2 8 · 2
Method mix
PROPFIND · 6 CONNECT · 2 \X16\X03\X01\X05 · 1 \X00\X00\X00'\XF · 1
\X16\X03\X01\X05 400 10
Apr 06, 2026 • 00:51
\xAF\x5C\xE9<[\x84-7M\x9BS\x10\x00M\x1F1\x5C\xCC
Non-RFC HTTP method token
IP 5.101.64.6 Subnet 5.101.64.0/24 Org PIN DC Country Russia Rule method:non_rfc_token
PROPFIND 403 6
Apr 06, 2026 • 00:01
/
WebDAV verb observed: PROPFIND
IP 46.151.178.13 Subnet 46.151.178.0/24 Org Demenin B.V Country Ukraine Rule method:webdav_verb
PROPFIND 403 6
Apr 05, 2026 • 23:54
/
WebDAV verb observed: PROPFIND
IP 46.151.178.13 Subnet 46.151.178.0/24 Org Demenin B.V Country Ukraine Rule method:webdav_verb
CONNECT 400 8
Apr 05, 2026 • 23:21
google.com:443
Disallowed method: CONNECT
IP 45.135.194.20 Subnet 45.135.194.0/24 Org Pfcloud UG Country Germany Rule method:trace_or_connect
PROPFIND 403 6
Apr 05, 2026 • 22:45
/
WebDAV verb observed: PROPFIND
IP 46.151.178.13 Subnet 46.151.178.0/24 Org Demenin B.V Country Ukraine Rule method:webdav_verb
PROPFIND 403 6
Apr 05, 2026 • 22:31
/
WebDAV verb observed: PROPFIND
IP 46.151.178.13 Subnet 46.151.178.0/24 Org Demenin B.V Country Ukraine Rule method:webdav_verb
\X00\X00\X00'\XF 400 10
Apr 05, 2026 • 21:35
LM
Non-RFC HTTP method token
IP 69.164.217.245 Subnet 69.164.217.0/24 Org Linode Country United States Rule method:non_rfc_token
PROPFIND 403 6
Apr 05, 2026 • 21:33
/
WebDAV verb observed: PROPFIND
IP 46.151.178.13 Subnet 46.151.178.0/24 Org Demenin B.V Country Ukraine Rule method:webdav_verb
PROPFIND 403 6
Apr 05, 2026 • 21:01
/
WebDAV verb observed: PROPFIND
IP 46.151.178.13 Subnet 46.151.178.0/24 Org Demenin B.V Country Ukraine Rule method:webdav_verb
CONNECT 400 8
Apr 05, 2026 • 19:55
google.com:443
Disallowed method: CONNECT
IP 45.135.194.20 Subnet 45.135.194.0/24 Org Pfcloud UG Country Germany Rule method:trace_or_connect