TRACK Method Allowed

Description

HTTP TRACK and TRACE methods allow the client to see the whole request that the webserver has received. The main purpose of this feature is for testing or diagnostic information. These methods can reveal sensitive information like Cookies and Authorization tokens to clients when they’re not supposed to access these data. This is often called a Cross-Site Tracing (XST) attack. The TRACK HTTP method is specific to the Microsoft IIS web server.

Recommendation

For Microsoft IIS open ISS Manager, go to Request Filtering, and change the configuration for TRACK and TRACE verbs in HTTP Verbs.

References

• OWASP: Cross Site Tracing
• OWASP 2017-A6
• OWASP 2021-A5
• CWE-16