HTTP TRACE and TRACK Methods Enabled
| Scan IDs | misconfiguration.http_trace, misconfiguration.http_track |
|---|---|
| Severity | Info |
| Classifications | CWE-489: Active Debug Code |
| OWASP Category | OWASP API8:2023 Security Misconfiguration |
The HTTP TRACE and TRACK methods are debugging methods that instruct the web server to echo back the complete incoming request — including all headers — as the response body. This means any Authorization, Cookie, or custom header sent with the request is returned verbatim in the response.
In a Cross-Site Tracing (XST) attack, a browser-based script that can issue TRACE requests could use this echo behaviour to steal HttpOnly cookies or authorization headers that would otherwise be inaccessible to JavaScript. While modern browser security policies (CSP, CORS, SameSite) mitigate many XST paths, leaving TRACE/TRACK enabled violates the principle of least privilege and may expose sensitive headers in logs, proxies, or less-protected environments.
Example
Section titled “Example”TRACE /api/users HTTP/1.1Host: api.example.comAuthorization: Bearer eyJhbGciOiJSUzI1NiI...X-Custom-Internal: secret
HTTP/1.1 200 OKContent-Type: message/http
TRACE /api/users HTTP/1.1Host: api.example.comAuthorization: Bearer eyJhbGciOiJSUzI1NiI...X-Custom-Internal: secretThe full request — including Authorization — is reflected back in the response body.
How to test?
Section titled “How to test?”vulnapi scan curl [url] -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans misconfiguration.http_trace --scans misconfiguration.http_trackecho "eyJhbGciOiJSUzUxMiI..." | vulnapi scan openapi [OpenAPI_Path_Or_URL] --scans misconfiguration.http_trace --scans misconfiguration.http_trackvulnapi scan graphql -H "Authorization: Bearer eyJhbGciOiJSUzUxMiI..." --scans misconfiguration.http_trace --scans misconfiguration.http_track [url]VulnAPI supports scanning against various types of other vulnerabilities as well.
What is the impact?
Section titled “What is the impact?”- Header exposure:
Authorization,Cookie, and custom internal headers sent with a TRACE request are reflected in the response body, making them readable by any party that can observe the response (intermediate proxies, logs, browser scripts under certain conditions). - Debug information leakage: internal headers (
X-Internal-User,X-Request-ID, etc.) that would not normally be visible to clients may be exposed. - Cross-Site Tracing (XST): in older browser environments or when combined with other vulnerabilities, TRACE can be used to steal credentials from browser-based clients.
How to remediate?
Section titled “How to remediate?”Disable TRACE and TRACK at the web server level.
Nginx — restrict to allowed methods only:
location / { limit_except GET POST PUT DELETE PATCH OPTIONS { deny all; }}Apache — disable TRACE globally:
TraceEnable OffExpress (Node.js) — reject TRACE/TRACK in middleware:
app.use((req, res, next) => { if (req.method === 'TRACE' || req.method === 'TRACK') { return res.status(405).send('Method Not Allowed'); } next();});Verify the fix by checking that TRACE returns a 405 Method Not Allowed response:
curl -X TRACE https://api.example.com/ -i# Expected: HTTP/1.1 405 Method Not Allowed