TRACE Method Allowed
Impact: Low
Description
HTTP TRACE method allows a client to see the whole request that the webserver has received. The main purpose of this feature is for testing or diagnostic information. This method can reveal sensitive information like Cookies and Authorization tokens to clients when they’re not supposed to access these data. This is often called a Cross-Site Tracing (XST) attack.
Recommendation
Disable the TRACE method in the webserver configuration. For the Apache web server, add the below line to the main configuration file.
TraceEnable off
For Microsoft IIS open ISS Manager, go to Request Filtering, and change the configuration for TRACK and TRACE verbs in HTTP Verbs.
References
👉 You might also like:
TRACK Method Allowed - Vulnerability
Server Version Disclosure - Vulnerability
Auto Complete Enabled Password Input - Vulnerability
Password Sent in HTTP Query - Vulnerability
Last updated on March 09, 2021