TRACE/TRACK Method Detected

Summary #

Netsparker detected the TRACE/TRACK method is allowed.

Impact #

It is possible to bypass the HttpOnly cookie limitation and read the cookies in a cross-site scripting attack by using the TRACE/TRACK method within an XmlHttpRequest. This is not possible with modern browsers, so the vulnerability can only be used when targeting users with unpatched and old browsers.

Remediation #

Disable this method in all production systems. Even though the application is not vulnerable to cross-site scripting, a debugging feature such as TRACE/TRACK should not be required in a production system and therefore should be disabled.

Classifications #

CAPEC-107, CWE-16, ISO27001-A.14.1.2, WASC-14, OWASP 2013-A5, OWASP 2017-A6

Vulnerability Index

You can search and find all vulnerabilities

Select Category

Critical
High
Medium
Low
Best Practice
Information

Search Vulnerability

Tags

OWASP 2013-A5 OWASP 2017-A6

Related Vulnerabilities

Web Backdoor Detected
Backup Source Code Detected
SVN Detected
Trace.axd Detected
OPTIONS Method Enabled

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo