locked
Disable HTTP track method in .net 1.1 RRS feed

  • Question

  • User-838913992 posted

    Hi every one,

              My company is scan its website for vulnerabilities.  The issue is titled "HTTP TRACK Method Enabled (http-track-method-enabled)".  The short description is "The HTTP TRACK method is normally used to return the full HTTP request back to the requesting client for proxy-debugging purposes. An attacker can create a webpage using XMLHTTP, ActiveX, or XMLDOM to cause a client to issue a TRACK request and capture the client's cookies. This effectively results in a Cross-Site Scripting attack."

    The scan's recommended solution is as follows:

    Disable the TRACE and/or TRACK method from the Web server.

    We are using the URLScan tool to deny HTTP TRACE requests. The default configurations of Urlscan 2.5 (both baseline and SRP) only permit GET and HEAD methods only"

    What settings do I need to change in URLScan to block Track and Trace methods?  Right now our IIS version is 6 and .net framework 1.1.

    Any answers are appreciated. Thanks in advance.

    Regards,

    Anil Kumar

    Tuesday, April 29, 2014 11:22 PM

Answers

  • User-823319154 posted

    Hi Anil,

    Please make sure the URLScan.ini located in C:\Windows\System32\inetsrv\urlscan.  If UseAllowVerbs=1, make sure Trace/Track are not under the [AllowVerbs] section. Else, make sure Trace/Track are under  [DenyVerbs] section.

    Reference:

    URLScan 3.1 not blocking Trace and Track Methods

    Best regards

    Angie

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Wednesday, April 30, 2014 10:14 PM