Hi every one,
My company is scan its website for vulnerabilities. The issue is titled "HTTP TRACK Method Enabled (http-track-method-enabled)". The short description is "The HTTP TRACK method is normally used to return the full HTTP request back to the requesting client for proxy-debugging purposes. An attacker can create a webpage using XMLHTTP, ActiveX, or XMLDOM to cause a client to issue a TRACK request and capture the client's cookies. This effectively results in a Cross-Site Scripting attack."
The scan's recommended solution is as follows:
Disable the TRACE and/or TRACK method from the Web server.
We are using the URLScan tool to deny HTTP TRACE requests. The default configurations of Urlscan 2.5 (both baseline and SRP) only permit GET and HEAD methods only"
What settings do I need to change in URLScan to block Track and Trace methods? Right now our IIS version is 6 and .net framework 1.1.
Any answers are appreciated. Thanks in advance.
Regards,
Anil Kumar