Task #12575
Task #12556: Pentest - 2nd Assessment [2021]
Pentest_IBAM - HTTP TRACE Method Enabled[INFO]
Status: | Development / Work In Progress | Start date: | November 08, 2021 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | Chun Feng Lim | % Done: | 0% | |
Category: | Penetration Test Issue | Spent time: | - | |
Target version: | - |
Description
The HTTP TRACE method is designed for diagnostic purposes. If enabled, the web server will respond to requests that use the TRACE method by echoing in its response the exact request that was received. This behavior is often harmless, but occasionally leads to the disclosure of sensitive information such as internal authentication headers appended by reverse proxies. This functionality could historically be used to bypass the HttpOnly cookie flag on cookies, but this is no longer possible in modern web browsers.
Solution provided by LGMS :
The TRACE method should be disabled on production web servers.
'Affected URL:
History
#1 Updated by Nurul Athira Abdul Rahim almost 3 years ago
- Status changed from New - Begin Life Cycle to Development / Work In Progress
Options is not available on current server as it's WebSphere Application Server. Will perform the fix on web server.
#2 Updated by Nurul Athira Abdul Rahim over 2 years ago
Kindly review the fixes, as the new pentest (March,9,20202) result status stated "not solved".