TRACE Method Allowed

Description

The HTTP TRACE method allows clients to view the entire request received by the web server, primarily for testing and diagnostic purposes. However, enabling this feature can lead to the disclosure of sensitive information such as cookies and authorization tokens to unauthorized clients, facilitating Cross-Site Tracing (XST) attacks.

Recommendation

Enhance security by disabling the TRACE method in the web server configuration. For Apache web servers, add TraceEnable off to the main configuration file.

For Microsoft IIS, access IIS Manager, navigate to Request Filtering, and modify the configuration for TRACK and TRACE verbs in HTTP Verbs.

References

• CWE-16
• OWASP 2021-A5
• OWASP: Cross Site Tracing