What is HTTP Trace method
The primary function of the HTTP trace method (aka trace or track verbs) is as a diagnostic tool used in web servers. It works by echoing back the received request so that the client can see what changes or additions have been made by intermediate servers.
Essentially, when a client sends a TRACE request to a server, the server responds by sending back the exact request it received, including all the headers. This allows developers to see how their requests are being processed by the server and any proxies or other intermediaries along the way.
The dangers of using HTTP trace method
As part of the information echoed when using the HTTP trace method, sensitive information such as cookies, login details and authentication tokens can be exposed. This information in the wrong hands can be used maliciously, posing serious security risk if not correctly configured. Therefore it is important to disable HTTP trace method to ensure a secure system.
Known vulnerabilities
The HTTP trace method has been known to be used maliciously in attacks such as cross site tracing (XST), and cross site scripting (XSS). These attacks allow malicious parties to obtain cookies, authentication tokens and other sensitive information. This enables attackers to bypass security protections like the “HttpOnly” attribute on cookies and potentially give them the ability to inject JavaScript or other malicious content into the response. Other potential vulnerabilities include Server side request forgery (SSRF) and information disclosure.
Disabling HTTP trace method helps mitigate these vulnerabilities and enhances the security of your web server. It is also necessary to implement other security measures therefore it is important to configure correctly.
How to disable HTTP trace method in IIS
To disable HTTP trace method do the following:
- Open Internet Information Services (IIS) Manager
- In the Connections pane, select the site, application, or directory to be configured
- In the Home pane, double-click Request Filtering
- In the Request Filtering pane, click the HTTP verbs tab, and then click Deny Verb… in the Actions pane
- In the Deny Verb dialog box, enter the TRACE, and then click OK
Enter the following command in AppCmd.exe to configure:
| %systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /+verbs.[verb=’TRACE’,allowed=’false’ |
OR
Enter the following command in PowerShell to configure:
| Add-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter “system.webServer/security/requestFiltering/verbs” -name “.” -value @{verb=’TRACE’;allowed=’False’} |
Default value
The TRACE verb is not filtered by default.
Recommended setting
It is recommended the HTTP TRACE method be denied.
Best practices
Disabling the HTTP Trace Method is a simple but important security measure. It helps protect your website from potential attacks by preventing unauthorized access to sensitive information. To give peace of mind, server hardening can be implemented, ensuring all settings are correctly configured, reducing attack surfaces freeing up manpower for more important jobs.
