TRACE HTTP method enabled
Description
The debug TRACE method was found to be enabled on the target web server. This HTTP method reflects HTTP request data back to the user in a response. In some circumstances this information may include sensitive data that is applied by intermediary proxies.
Remediation
The TRACE HTTP method is for debugging only and should not be enabled on production sites.
For Apache based web servers, ensure the TraceEnable
directive is either removed or set to
off
.
For Microsoft Servers, remove the registry parameter named “EnableTraceMethod” found in the below registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
For all other server types, consult your product’s documentation on how to disable the TRACE method.
Details
ID | Aggregated | CWE | Type | Risk |
---|---|---|---|---|
16.11 | false | 16 | Active | high |