What http methods is used in Data Exfiltration ?


Hello Teams,

I’m a MSSP , my client sent me a issues that their DLP vendor said their solution can only detect data is tried to exfiltrate by http get methods.

I can find Browsing HTTP/HTTPS this channel is using http get response to exfiltrate data to Cymulate.

But, what about other channels?

In attack logs , I can see onedirve、github ,these channels are using API call : PUT https://xxxx.xxxxx

It seems using http put methods , right?

Could you help me to clarified for what http methods will be used in each channels?

That’s my client and their DLP vendor wondering to know , then they will try to optimize their solution.



Best answer by Shiraz 22 May 2023, 19:27

View original

2 replies

Userlevel 3
Badge +3

Hi @Jerry_Hsieh 

We use GET only for HTTP Browsing and HTTPS Browsing

The rest of the exfiltration methods uses PUT or POST (depends on the API).



Hi @Shiraz ,


Thanks for your explanation.

Base-on this question , there are a lots of content-type in each exfiltration methods ,like word, pdf, string, etc. , For example , in OneDrive channel uses PUT methods , I wondering to confirm PUT method will be used for all content-type in OneDrive channel whether will mix POST methods for some specific content-type?

That’s an example , we saw some of content-type is blocked ,rest of them is penetrated from the report.

If all of content-type are used PUT method, that their DLP should not have ability to detect and block.

So, we wondering to confirm that whether each channel uses PUT/POST/GET one of them only for all content-type.