• Services
  • Blog
  • Knowledge Base
  • Contact
our services
  • Application Penetration Testing

    • Username Enumeration
    • iOS Frida Objection Pentesting Cheat Sheet
    • URL Redirection – Attack and Defense
    • Jailbreaking iOS 13 with unc0ver
    • X-Runtime Header Timing Attacks
    • wkhtmltopdf File Inclusion Vulnerability
    • API Mass Assignment Vulnerability
    • Web Server TRACE Enabled
  • AWS Pentesting

    • Protecting S3 buckets using IAM and KMS
    • Misconfigured S3 Bucket
    • S3 Storage Does Not Require Authentication
  • DevOps Security

    • Securing Travis CI
  • Encryption

    • TLS 1.0 Initialization Vector Implementation Information Disclosure Vulnerability
    • OpenSSL ‘ChangeCipherSpec’ (CCS) MiTM Vulnerability
    • Null Ciphers Supported
    • ‘Export Ciphers’ Enabled
  • Network Penetration Testing

    • .NET Handler Enumeration
    • TLS_FALLBACK_SCSV Not Supported
    • PHP Easter Eggs Enabled
    • MySQL Multiple Vulnerabilities
    • Debian Predictable Random Number Generator Weakness
    • Cisco IKE Fragmentation Vulnerability
  • Pentesting Fundamentals

    • Essential Wireshark Skills for Pentesting
    • Testing Cookie Based Session Management
  • Windows Hardening

    • Resolving “Windows NetBIOS / SMB Remote Host Information Disclosure” (2020)
Application Penetration Testing

Web Server TRACE Enabled

our services

Virtue Security found web servers with the TRACE and TRACK verbs enabled. These verbs are used for debugging purposes, but under some circumstances can be used to create Cross-site Scripting (XSS) vulnerabilities. Although this scenario is generally not exploitable with modern web browsers, it is still recommended these methods be disabled.

Below shows the TRACE method enabled:
$ nc 10.0.0.25 80
TRACE /<script>alert('xss')</script> HTTP/1.0

HTTP/1.1 200 OK
[..]
TRACE /<script>alert('xss')</script> HTTP/1.0

For more information on this attack, please reference the following URL: https://www.owasp.org/index.php/Cross_Site_Tracing`

Remediation

The HTTP TRACE and TRACK methods have no use in production environments and can be safely disabled.

Disabling TRACE in Apache

For the following versions: 1.3.34 and up, 2.0.55 and up, 2.2., and 2.4.**

TRACE can be disabled in httpd.conf with the TraceEnable directive. This directive should be set to ‘off ‘ as shown below:

TraceEnable off

Disabling TRACE in APACHE prior to 1.3.34 and 2.0.55

Versions of Apache that do not support the TraceEnable directive should use rewrite rules to disable TRACE. Below shows an example rule: RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Disabling TRACE in IIS

TRACE can be disabled in IIS with the UrlScan extension. In the UrlScan.ini configuration file ensure that TRACE exists in the [DenyVerbs] directive. For more information on UrlScan please reference the following URL: http://www.iis.net/downloads/microsoft/urlscan

← TLS 1.0 Initialization Vector Implementation Information Disclosure Vulnerability
API Mass Assignment Vulnerability →
  • Services
  • Blog
  • Knowledge Base
  • Contact
Looking for a better
penetration test?

Make an appointment with an expert today

    Request a meeting invite? (EDT)

    Contact ASAP3:00 PM Today4:00 PM Today1:00 PM Tomorrow3:00 PM TomorrowOther / Just Send Info