TRACK is an HTTP verb that tells IIS to return the full request back to the client. It is Microsoft’s implementation and it is similar to TRACE verb which is RFC complaint.
Vulnerability scan tools may raise a flag if HTTP TRACK and TRACE verbs are enabled in your server. The reason behind is that attackers capture client cookies by asking web servers to return full requests.
An example text from a vulnerability scan tool in regards to the usage of this verb:
The HTTP TRACK method is normally used to return the full HTTP request back to the requesting client for proxy-debugging purposes. An attacker can create a webpage using XMLHTTP, ActiveX, or XMLDOM to cause a client to issue a TRACK request and capture the client’s cookies. This effectively results in a Cross-Site Scripting attack.
HTTP TRACK is disabled in IIS 6 and newer versions. However, you may see the TRACE verb enabled which may cause your security scan tool to raise a vulnerability flag.
I performed tests by using IIS 7, 8.5, and 10 to see if TRACK and TRACE verbs are enabled or disabled by default:
As you see in the table, TRACK is not allowed by default after IIS 7. However, TRACE is allowed by default in IIS 8.5.
Please note that security scan tools may point out TRACK verb usage but they may actually test for TRACE method.
Try sending a TRACE request to IIS via telnet. If it fails with 404 code, it means this request is not allowed.
Steps to test:
telnet <server-ip-address> 80
TRACE / HTTP/1.1
If you see HTTP/1.1 404 Not Found, the setting is working. TRACE is disabled:
If you see HTTP/1.1 200 OK, the setting is not working. TRACE is allowed:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.