TRACK Method Allowed

Impact: Low


HTTP TRACK and TRACE methods allow the client to see the whole request that the webserver has received. The main purpose of this feature is for testing or diagnostic information. These methods can reveal sensitive information like Cookies and Authorization tokens to clients when they’re not supposed to access these data. This is often called a Cross-Site Tracing (XST) attack. The TRACK HTTP method is specific to the Microsoft IIS web server.


For Microsoft IIS open ISS Manager, go to Request Filtering, and change the configuration for TRACK and TRACE verbs in HTTP Verbs.


Last updated on March 09, 2021

Use SmartScanner Free version to test for this issue