Details
Alert ID 90028-3
Alert Type Active
Status beta
Risk Medium
CWE 749
WASC 45
Technologies Targeted All
Tags CWE-749
OWASP_2017_A06
OWASP_2021_A05
OWASP_2025_A02
POLICY_DEV_FULL
POLICY_PENTEST
POLICY_QA_FULL
WSTG-V42-CONF-06
More Info Scan Rule Help

Summary

The insecure HTTP method [TRACE] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the HttpOnly flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability.

Solution

Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods.

Other Info

A TRACE request was sent for this request, with a custom cookie value [examplecookievalue]. This cookie value was disclosed in the HTTP response, confirming the vulnerability.

References

Code

org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java