HTTP trace method is enabled

Disclosed: 2016-02-17 16:14:14 By a0xnirudh To gratipay
Low
Vulnerability Details
Hello, HTTP TRACE method is enabled on your server which should not be enabled. It can lead to cross site tracing ! Cross site tracing: https://www.owasp.org/index.php/Cross_Site_Tracing ``` root@initlabs:~# curl -vX TRACE "https://gratipay.com" * Rebuilt URL to: https://gratipay.com/ * Hostname was NOT found in DNS cache * Trying 54.243.70.145... * Connected to gratipay.com (54.243.70.145) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * Server certificate: * subject: C=US; ST=Pennsylvania; L=Ambridge; O=Gratipay, LLC; CN=0nfx8fkf.gratipay.com; [email protected] * start date: 2015-03-09 11:17:13 GMT * expire date: 2017-03-09 13:15:30 GMT * subjectAltName: gratipay.com matched * issuer: C=IL; O=StartCom Ltd.; OU=Secure Digital Certificate Signing; CN=StartCom Class 2 Primary Intermediate Server CA * SSL certificate verify ok. > TRACE / HTTP/1.1 > User-Agent: curl/7.38.0 > Host: gratipay.com > Accept: */* > < HTTP/1.1 200 OK < Connection: keep-alive * Server gunicorn/18.0 is not blacklisted < Server: gunicorn/18.0 < Date: Thu, 07 Jan 2016 17:32:50 GMT < Transfer-Encoding: chunked < X-Frame-Options: SAMEORIGIN < Cache-Control: no-cache < Content-Type: text/html; charset=UTF-8 < Set-Cookie: csrf_token=S8QB2oKQAi4M0b2LShrfufScGtyvRIft; expires=Thu, 14 Jan 2016 17:32:50 GMT; Path=/; secure < X-Content-Type-Options: nosniff < X-Xss-Protection: 1; mode=block < X-Gratipay-Version: 1934 < Via: 1.1 vegur ``` Mitigation: DIsable TRACE method support on your server. Reference: https://hackerone.com/reports/4409
Actions
View on HackerOne
Report Stats
  • Report ID: 109054
  • State: Closed
  • Substate: resolved
  • Upvotes: 4
Share this report