How is QID 86473 - Web Server HTTP Trace/Track Method Support Cross-Site Tracing detected?

Document created by kb-author-1 Employee on May 19, 2010Last modified by eschamp on Sep 2, 2010
Version 4Show Document
  • View in full screen mode

Issue:

How is QID 86473 - Web Server HTTP Trace/Track Method Support Cross-Site Tracing detected?

 

Solution:

QID 86473 can be verified manually from the command-line (press Enter twice after the last line):

-----[example]-----

tester@qualys:~ /$ telnet 192.168.10.10 80
Trying 192.168.10.10...
Connected to 192.168.10.10.
Escape character is '^]'.
TRACE / HTTP/1.0
Via: <script>alert(document.domain)</script>

-----[/example]-----

 

The following reply from the web server appears:

-----[example]-----

HTTP/1.1 200 OK
Date: Wed, 01 Sep 2010 18:48:36 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Via: <script>alert(document.domain)</script>

Connection closed by foreign host.
-----[/example]-----

 

In this result, the TRACE method faithfully echos back the original input script. TRACE is used for diagnostic purposes and may generally be disabled without issue.

 

 

Qualys Support KnowledgeBase

http://community.qualys.com/community/kb

Attachments

    Outcomes