TRACK Method enabled
Description
The HTTP TRACK method is enabled on this web server. TRACK is a debugging method that echoes back the exact request received by the server, including all HTTP headers. When combined with cross-site scripting (XSS) or other cross-domain vulnerabilities in web browsers, attackers can potentially access sensitive information contained in HTTP headers such as cookies, authentication tokens, and session identifiers. Additionally, some web servers (notably IIS 5) do not log TRACK requests, which can hinder incident detection and forensic analysis.
Remediation
Disable the HTTP TRACK method on the web server. Implementation steps vary by server type:
Apache HTTP Server: Add the following lines to your configuration file (httpd.conf or .htaccess):
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]Microsoft IIS: Use the URLScan ISAPI filter or add a custom request filtering rule to block TRACK requests. In IIS 7.0 and later, configure request filtering in web.config:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<verbs>
<add verb="TRACK" allowed="false" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
</configuration>Nginx: Add the following to your server configuration block:
if ($request_method = TRACK) {
return 405;
}After making changes, restart the web server and verify the TRACK method is disabled by testing with a TRACK request.