unsafe HTTP methods
Vulnerability name: Unsafe HTTP methods
- Aliases
- Web server HTTP Trace/Track method support
- Cross-site tracing vulnerability
- Dangerous HTTP methods
- Scope
- Although this is a server configuration issue, the client is at risk here
- Remediation
- Disable TRACE and/or TRACK and/or DEBUG methods
Verification
Using
curl
, one can employ one of the methods by hand:
curl -sIX TRACE $TARGET | awk 'NR==1 {print $2}'
Vulnerable when: the result is 200
One should expect (not vulnerable) 405 (Method Not Allowed) or 501 (Not Implemented) results.
This executes the TRACE method against
$TARGET
, and prints out the HTTP
status code using
awk
. The
-I
parameter fetches the head only,
-s
stands for silent mode, and
-X
specifies the method.
The easiest way to test whether a server is vulnerable is by using the script analyze_hosts.py [1].
This script uses
curl
as well as
nmap
to perform multiple tests.
analyze_hosts.py --trace http://www.target.com
Note
When an OPTIONS method is issued, the webserver should return the supported methods. Some web servers have a habit of replying with methods that are in fact not supported - which does not combine nicely with inferior security scanners (and pentesters, I might add) that relying …