Description
The HTTP TRACK and TRACE methods allow the client to see the entire request that the web server has received. Although primarily intended for testing or diagnostic purposes, these methods can expose sensitive information like Cookies and Authorization tokens to clients, potentially leading to Cross-Site Tracing (XST) attacks.
Recommendation
To mitigate this risk, for Microsoft IIS, access the IIS Manager, navigate to Request Filtering, and modify the configuration for TRACK and TRACE verbs under HTTP Verbs to disallow their usage.
References
Related Issues
- TRACE Method Allowed - Vulnerability
- Apache Version Disclosure - Vulnerability
- Nginx Version Disclosure - Vulnerability
- No Redirection from HTTP to HTTPS - Vulnerability
- Tags:
- Server Misconfiguration
- Web Server
- Cross-Site Tracing
- HTTP
Anything's wrong? Let us know Last updated on May 13, 2024