TRACE Method Allowed

Impact: Low


The HTTP TRACE method allows clients to view the entire request received by the web server, primarily for testing and diagnostic purposes. However, enabling this feature can lead to the disclosure of sensitive information such as cookies and authorization tokens to unauthorized clients, facilitating Cross-Site Tracing (XST) attacks.


Enhance security by disabling the TRACE method in the web server configuration. For Apache web servers, add TraceEnable off to the main configuration file.

For Microsoft IIS, access IIS Manager, navigate to Request Filtering, and modify the configuration for TRACK and TRACE verbs in HTTP Verbs.


Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue