What attacker will benefit of TRACE Exploitation and What is the Recommendation to fix this issue?
Asked
Active
Viewed 1,882 times
-2
-
Duplicated: http://security.stackexchange.com/questions/56955/is-the-http-trace-method-a-security-vulnerability, http://security.stackexchange.com/questions/7703/implications-of-trace-track-methods-on-apache, http://security.stackexchange.com/questions/16676/http-trace-vulnerability-discovered-what-should-i-do – kinunt Dec 09 '14 at 06:11
-
Please refrain from asking anymore questions as long as you have not read our FaQ and help pages. – Lucas Kauffman Dec 09 '14 at 07:21
1 Answers
1
Anything sent in a request using the HTTP TRACE method will be echo-ed back in the response.
This may lead to Cross Site Tracing (XST) attacks, which could lead to steal a user's cookie even if the cookie has the HTTPOnly attribute flag set.
The HTTP TRACE method is used for debugging purposes only and should be disabled.
Apache Configuration:
TraceEnable off
IIS Registry Setting:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
EnableTraceMethod: 0
Jeroen
- 5,813
- 2
- 19
- 26