Summary #

Netsparker detected the TRACE/TRACK method is allowed.

Impact #
It is possible to bypass the HttpOnly cookie limitation and read the cookies in a cross-site scripting attack by using the TRACE/TRACK method within an XmlHttpRequest. This is not possible with modern browsers, so the vulnerability can only be used when targeting users with unpatched and old browsers.
Remediation #
Disable this method in all production systems. Even though the application is not vulnerable to cross-site scripting, a debugging feature such as TRACE/TRACK should not be required in a production system and therefore should be disabled.
Classifications #
CAPEC-107, CWE-16, ISO27001-A.14.1.2, WASC-14, OWASP 2013-A5, OWASP 2017-A6
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

OR

Search Vulnerability

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO