puts() are used to writing string in the standard console( monitor) what ever you give to puts() its simply write to monitor so puts() are not dangerous. lets talk about why gets() are dangerous? gets() read data from keyboard until user does’t provide new line. because its never check the length of given input some data are also overwritten to other variable or its give segmentation fault(UNIX/LINUX) or program crash. Famous Stack Overflow are very possible if gets() are used in over program. But today it’s deprecated and most of the modern compiler give warning. I show using this GCC compiler in Linux where content overwritten not possible because GCC compiler put a guard by default to prevent stack smashing. Compiler Warning : Output : Similar is also applicable for windows. One thing here you remember which compiler are used by your Code Block (mingw or gcc or borland turbo C) for compiling program because Code Block is simply a IDE which help to make easy program development. Answer from Susheel Dwivedi on quora.com
🌐
PortSwigger
portswigger.net › kb › issues › 00100900_http-put-method-is-enabled
HTTP PUT method is enabled - PortSwigger
The HTTP PUT method is normally used to upload data that is saved on the server at a user-supplied URL. If enabled, an attacker may be able to place arbitrary, and potentially malicious, content into the application.
Top answer
1 of 16
4
puts() are used to writing string in the standard console( monitor) what ever you give to puts() its simply write to monitor so puts() are not dangerous. lets talk about why gets() are dangerous? gets() read data from keyboard until user does’t provide new line. because its never check the length of given input some data are also overwritten to other variable or its give segmentation fault(UNIX/LINUX) or program crash. Famous Stack Overflow are very possible if gets() are used in over program. But today it’s deprecated and most of the modern compiler give warning. I show using this GCC compiler in Linux where content overwritten not possible because GCC compiler put a guard by default to prevent stack smashing. Compiler Warning : Output : Similar is also applicable for windows. One thing here you remember which compiler are used by your Code Block (mingw or gcc or borland turbo C) for compiling program because Code Block is simply a IDE which help to make easy program development.
2 of 16
305
The “C/C++ language” does not exist. C and C++ are two different languages, each with its own standard. [code ]gets()[/code] no longer appears in either language, although it was removed from each at different times. Standard C removed [code ]gets()[/code] in C11. It does define an optional safe alternative, [code ]gets_s[/code]. Standard C++ deprecated [code ]std::gets()[/code] in C++11, and removed it in C++14. It does not define a corresponding [code ]std::gets_s()[/code]. That said, many environments still provide it. Of course, most of the compilers I’ve used the last 20+ years complained rather loudly about [code ]gets()[/code], long before C11 removed it. The complaint usually comes at link time: [code]/tmp/cce2YlR3.o:gets.c:function main: warning: the `gets' function is dangerous and should not be used. [/code]Sadly, the compiler on my Mac is not one of those. It waits until [code]gets()[/code] is called at run time to complain instead. [code]$ ./program_that_calls_gets warning: this program uses gets(), which is unsafe. [/code]
🌐
Society for Information Reuse and Integration
sis.pitt.edu › jjoshi › courses › is2620 › spring07 › lecture3.pdf pdf
1 Secure Coding in C and C++ String Vulnerabilities Lecture 3
puts("Enter Password:"); 1 · Note: This vulnerability also could have been exploited to execute · arbitrary code contained in the input string. 19 · Arc Injection (return-into-libc) z Arc injection transfers control to code that already · exists in the program’s memory space ·
Top answer
1 of 4
15

PUT and DELETE are not intrinsically insecure, they are used without problems at many REST services for example.

In my practice the main problem related to these HTTP verbs (apart from the common authentication and authorization problems) was that the server operators weren't aware of their existence introducing the possibility of HTTP Verb Tampering. In summary this means that access control was implemented based on a HTTP verb blacklist but some lesser known verbs were missing from this list allowing access control bypass.

I'd like to note that many web servers implement their own custom (sometimes undocumented) HTTP verbs, so this kind of "Verb-Based Access Control" doesn't seem like a very good idea anyway.

A Note on XSS (Edit 2023.11.17.)

In many cases applications use a particular interface by sending POST requests to it. If the interface is vulnerable to reflected XSS and it also accepts parameters in GET requests exploitation may become easier: if the interface only accepted POST, an attacker would need to direct the victim to a site controlled by him, so a crafted POST request to the real target can be triggered. On the other hand when GET is processed the same way as POST, the attacker only has to convince the victim to follow a link pointing to the (trusted) domain of the vulnerable target application.

Many current frameworks require you to explicitly specify what verb(s) a particular server-side method accepts (with annotations like @GET or @POST). It seems like a good idea to keep the set of accepted verbs minimal.

2 of 4
12

HTTP methods have little to do with security in and of themselves. A method like DELETE /users/1 could easily also be implemented as POST /users/1/delete or even GET /users/1/delete (GETs should never have side effects, but that doesn't stop some developers from doing so anyway).

You should therefore treat them similarly to any other HTTP method. GETs should not change server state, so typically you would only need to verify that the client has read access to the requested resource. PUTs should be used to update a resource wholly in-place (although they are often also used similarly to the PATCH verb), and so you should ensure that the client has the privileges to do this. Likewise, DELETE should be sent in order to request that a resource be deleted. So you would want to ensure a user has permission to do so.

In short: treat the verbs as descriptors of the type of action the user wishes to perform. Authenticate and authorize them to perform these actions as is required by the security parameters of your particular application.

🌐
Snyk
security.snyk.io › snyk vulnerability database › npm
put vulnerabilities
We found a way for you to contribute to the project! Looks like put is missing a Code of Conduct. ... Known vulnerabilities in the put package.
🌐
Arridae
arridae.com › blogs › HTTP-PUT-method.php
How to Exploit HTTP PUT method
An attacker could get a local or root shell on the system using publicly accessible put method also known as one of Webdav method.
🌐
Hacking Articles
hackingarticles.in › home › penetration testing › multiple ways to exploiting put method
Multiple Ways to Exploiting PUT Method
October 10, 2018 - If the web server enables the HTTP PUT method, it can upload a malicious resource to the target server, such as a web shell, and execute it. As users employ this method to change or delete files from the target server’s file system, it often leads to various file upload vulnerabilities, paving the way for critical and dangerous attacks.
🌐
InformIT
informit.com › articles › article.aspx
Articles | InformIT
if(isEnableGA){ if(currentEnvironment == 'QA'){ · }else{ · Articles · 890 Items · Sort by Date | Title · Page 1 2 3 4 5 Next > · Topics · Business & Management · Certification · Engineering
Find elsewhere
🌐
Smeegesec
smeegesec.com › 2014 › 10 › detecting-and-exploiting-http-put-method.html
Detecting and Exploiting the HTTP PUT Method ~ SmeegeSec
I recently found a web server which allowed the HTTP PUT Method. This was detected and proven vulnerable by a Nessus vulnerability scan which actually uploaded it's own page at /savpgr1.html with the text “A quick brown fox jumps over the lazy dog.” My first thought was to see if I could upload a shell (php, asp, jsp) which you can make in metasploit or find online.
🌐
Medium
medium.com › @capturethebugs › common-c-vulnerabilities-56ffad22581e
Common C Vulnerabilities. Introduction | by Capture The Bug | Medium
September 18, 2022 - #include <stdio.h>#include <string.h>int main() { char src[20] = "C programming";char dest[20];// copying src to deststrcpy(dest, src);puts(dest); // C programmingreturn 0; }
🌐
Threatpost
threatpost.com › log4j-vulnerability-pressures-security-world › 177721
The Log4j Vulnerability Puts Pressure on the Security World | Threatpost
January 18, 2022 - First of all, Log4j is a ubiquitous logging library that is very widely used by millions of computers. Second, the director of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) says this is the most serious vulnerability she has ever seen in her career spanning decades, and many security experts agree.
🌐
Acunetix
acunetix.com › vulnerabilities › web › file-creation-via-http-method-put
File creation via HTTP method PUT - Vulnerabilities - Acunetix
A poorly configured Web server can mistakenly provide remote access to the PUT method without requiring any form of login.
🌐
Valency Networks
valencynetworks.com › home › vulnerabilities knowledge base › vulnerable http put method
Vulnerable HTTP PUT Method | Valency Networks %
October 29, 2025 - Although useful for controlled file management, enabling PUT without proper security can allow unauthorized users to upload harmful files, potentially leading to data compromise or server takeover.
🌐
OWASP Foundation
owasp.org › www-community › attacks › Format_string_attack
Format string attack | OWASP Foundation
If the application uses Format Functions in the source-code, which is able to interpret formatting characters, the attacker could explore the vulnerability by inserting formatting characters in a form of the website.
🌐
Cobalt
cobalt.io › homepage › vulnerability wiki › config › enabled http put method leads to create malicious file on the server
Enabled HTTP Put Method Malicious File | Vulnerability Wiki
April 4, 2022 - Read Cobalt's Pentest Vulnerability Wiki and learn about common website vulnerabilities such as enabled HTTP put method creates malicious files on the server.
🌐
Malwarebytes
malwarebytes.com › home › unfixed vulnerability in popular library puts iot products at risk
Unfixed vulnerability in popular library puts IoT products at risk
May 4, 2022 - Researchers have disclosed an unpatched vulnerability in the popular uClibc library that could allow attackers to use DNS poisoning.
🌐
TechRepublic
techrepublic.com › home › security
CISA Warning: High-Severity Linux Flaw Puts Unpatched Systems at Risk
May 6, 2026 - The vulnerability, tracked as CVE-2026-31431 and reportedly under active exploitation, affects the Linux kernel’s crypto subsystem and could allow a low-privileged user to gain root access on vulnerable systems. The issue has drawn a warning from the US Cybersecurity and Infrastructure Security Agency, putting Linux admins under pressure to patch quickly.
🌐
Tenouk
tenouk.com › Bufferoverflowc › Bufferoverflow4.html
A step-by-step on the computer buffer overflow vulnerability tutorials on Intel x86 processor and C standard function call
First situation is as explained in the previous examples. This exploit normally uses the applications/programs that having the buffer overflow vulnerabilities. An exploit can trick a function or subroutine to put more data into its buffer than there is space available.
🌐
Pentest-Tools
pentest-tools.com › home
PUT Method Enabled - Vulnerability & Exploit Database
December 2, 2024 - Vulnerability description · Not availableN/A · Risk description · Not availableN/A · Recommendation · Not availableN/A · References · https://portswigger.net/kb/issues/00100900_http-put-method-is-enabled · Codename · Not availableN/A · Detectable with ·