Information Leakage / HTTP Trace Method Is Enabled

Description

The web server is configured to support the HTTP TRACE method. TRACE is a diagnostic method that echoes back the received request, including all headers, in the response body. When enabled, the server reflects the complete HTTP request - including potentially sensitive headers such as cookies, authorization tokens, and custom security headers - back to the client.

This issue is covered in the OWASP Web Security Testing Guide under WSTG-CONF-06 (Test HTTP Methods).

Risk

An enabled TRACE method can facilitate Cross-Site Tracing (XST) attacks. In an XST attack, an attacker who can execute JavaScript in a victim's browser context may use TRACE to bypass the HttpOnly flag on cookies. By issuing a TRACE request to the server, the response will contain the full request including session cookies, which can then be read by the malicious script and exfiltrated.

While modern browsers have mitigated XST by blocking TRACE requests from XMLHttpRequest and Fetch APIs, the risk persists in environments with legacy browsers, browser plugins, or non-browser HTTP clients. Additionally, TRACE can inadvertently disclose sensitive header information in server logs or to intermediary proxies.

Solution

Disable the HTTP TRACE method on all web servers. For Apache, add TraceEnable off to the configuration. For Nginx, TRACE is disabled by default but can be explicitly blocked by returning a 405 status for TRACE requests. For IIS, disable TRACE via the Request Filtering feature. After making changes, verify the fix by sending a TRACE request and confirming the server returns a 405 Method Not Allowed response.