Description
The HTTP TRACK and TRACE methods allow the client to see the entire request that the web server has received. Although primarily intended for testing or diagnostic purposes, these methods can expose sensitive information like Cookies and Authorization tokens to clients, potentially leading to Cross-Site Tracing (XST) attacks.
Recommendation
To mitigate this risk, for Microsoft IIS, access the IIS Manager, navigate to Request Filtering, and modify the configuration for TRACK and TRACE verbs under HTTP Verbs to disallow their usage.