Trace.axd Detected
Description
The ASP.NET application has trace functionality enabled and accessible via the Trace.axd endpoint. When enabled, this diagnostic feature logs detailed information about HTTP requests, including session identifiers, authentication tokens, server variables, form data, cookies, and physical file paths. This sensitive debugging information is intended for development environments only and should never be exposed in production systems.
Remediation
Disable application-level tracing in production environments by modifying the Web.config file. Locate the <code><trace></code> element within the <code><system.web></code> section and set the <code>enabled</code> attribute to <code>false</code>:<br/><br/><pre><configuration> <system.web> <trace enabled="false" localOnly="true" /> </system.web> </configuration></pre><br/>After making this change, verify that Trace.axd is no longer accessible by attempting to navigate to <code>https://yoursite.com/Trace.axd</code>. If tracing is required for troubleshooting, enable it only temporarily and ensure <code>localOnly="true"</code> is set to restrict access to localhost only. Additionally, consider implementing URL authorization rules to explicitly deny access to Trace.axd for all users.