Vulnerabilities/

TRACK Method Allowed

Severity:
Low

Description

The HTTP TRACK and TRACE methods allow the client to see the entire request that the web server has received. Although primarily intended for testing or diagnostic purposes, these methods can expose sensitive information like Cookies and Authorization tokens to clients, potentially leading to Cross-Site Tracing (XST) attacks.

Recommendation

To mitigate this risk, for Microsoft IIS, access the IIS Manager, navigate to Request Filtering, and modify the configuration for TRACK and TRACE verbs under HTTP Verbs to disallow their usage.

References

Related Issues

Tags:
Server Misconfiguration
Web Server
Cross-Site Tracing
HTTP
Anything's wrong? Let us know Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue

Download