TRACK Method Allowed

Description

The HTTP TRACK and TRACE methods allow the client to see the entire request that the web server has received. Although primarily intended for testing or diagnostic purposes, these methods can expose sensitive information like Cookies and Authorization tokens to clients, potentially leading to Cross-Site Tracing (XST) attacks.

Recommendation

To mitigate this risk, for Microsoft IIS, access the IIS Manager, navigate to Request Filtering, and modify the configuration for TRACK and TRACE verbs under HTTP Verbs to disallow their usage.

References

• CWE-16
• OWASP 2021-A5
• OWASP: Cross Site Tracing