HTTP TRACE method vulnerability and Fixing

Abinesh M
3 min readSep 20, 2023

--

Hi Heckerss!! 🙋‍♂️

I hope you read my old blogs. If not, check it out. 🤝

Now Let’s start…! another blog…

Description:

The HTTP TRACE method is one of the HTTP methods used for debugging and diagnostic purposes. When a client sends an HTTP TRACE request to a server, the server is supposed to respond by echoing back the received request to the client. This can be helpful for troubleshooting or understanding how a request is being processed by intermediaries and the server itself.

Enabling the HTTP TRACE method on a production server can introduce a security vulnerability known as Cross-Site Tracing (XST) or Cross-Site Tracing Attack. This vulnerability occurs when an attacker is able to trick a user’s browser into making a TRACE request to a website, and then reading the sensitive data included in the response, such as cookies and authentication tokens.

Impact:

  1. 🔐 Session Hijacking: An attacker can steal session cookies and authentication tokens, potentially gaining unauthorized access to a user’s account.
  2. 🚀 Cross-Site Scripting (XSS): If the TRACE response includes user-input data without proper sanitization, it can lead to XSS attacks, compromising the security of the application.
  3. 🔍 Information Disclosure: Sensitive information, such as HTTP headers and cookies, can be exposed, leading to privacy breaches.

Let’s start with the practical one 😉

First, we have to understand how the TRACE method will show up in response.

Fixing:

1. Navigate to the Apache configuration file

2. Open conf-available Folder and check if the security configuration file is available or not.

3. Open the security.conf file using nano and turn off the TRACE enable.

4. Save the configuration file and exit

5. Now restart the Apache server and verify using the burp suite.

Okay… will see in the next blog 👋🙋‍♂️.

Happy Hunting….!

Reach out to me, If you have any queries 🤝

👔 LinkedIn: Abinesh M

📱 Instagram: Abi_Hecker

--

--

Abinesh M
Abinesh M

Responses (1)