HTTP TRACE Allowed

low Web App Scanning Plugin ID 98048

Language:

Synopsis

HTTP TRACE Allowed

Description

The HTTP TRACE method allows a client to send a request to the server, and have the same request sent back in the server's response. This allows the client to determine if the server is receiving the request as expected. Often this method is used for debugging purposes (e.g. to verify that a request arrives unaltered).

On many default installations the TRACE method is still enabled.

While not vulnerable by itself, it does provide a method for cyber attackers to bypass the HTTPOnly cookie flag, and therefore could allow a XSS attack to successfully access a session token.

The scanner has discovered that the affected page permits the HTTP TRACE method.

Solution

The HTTP TRACE method is normally not required within production sites and should therefore be disabled.

See Also

http://www.owasp.org/index.php/Cross_Site_Tracing

https://www.kb.cert.org/vuls/id/867593

Plugin Details

Severity: Low

ID: 98048

Type: remote

Family: Web Servers

Published: 3/31/2017

Updated: 4/6/2022

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Low

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Low

Base Score: 3.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Low

Base Score: 2.1

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 693

OWASP: 2010-A6, 2013-A5, 2017-A6

WASC: Application Misconfiguration

CAPEC: 1, 107, 127, 17, 20, 22, 237, 36, 477, 480, 51, 57, 59, 65, 74, 87

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b

OWASP API: 2019-API7, 2023-API8

PCI-DSS: 3.2-2.2