TRACK Method Allowed

Impact: Low


The HTTP TRACK and TRACE methods allow the client to see the entire request that the web server has received. Although primarily intended for testing or diagnostic purposes, these methods can expose sensitive information like Cookies and Authorization tokens to clients, potentially leading to Cross-Site Tracing (XST) attacks.


To mitigate this risk, for Microsoft IIS, access the IIS Manager, navigate to Request Filtering, and modify the configuration for TRACK and TRACE verbs under HTTP Verbs to disallow their usage.


Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue