What is Trace \ Track on IIS
Trace \ Track is a vulnerability that is usually identified on an IIS server when we run PCI compliance and find this vulnerability. A hacker can run a Trace attack on IIS Website and get information about the Backend server and other important information.
In latest versions on IIS (IIS 6.0, 7.5) Trace is disabled by default but still it is good idea to make sure that Trace is disabled on IIS.
Testing if Trace \ Track is Enabled on a IIS website or not
Follow these steps :
1. Go to command Prompt of your Machine.
2. Type telnet <URL of the website> 80 (this will open a telnet session of that website on port 80)
3. Type following commands on the telnet session screen in exact same order:
TRACE / HTTP/1.0
Host: <hostname_you_are_testing>
TestA: Hello
TestB: World
4. Press enter twice.
If Trace is enabled on your server, you should see following results:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 04 Aug 2009 20:17:15 GMT
Content-Type: message/http
Content-Length: 76
And If you receive following results on the telnet screen, then Trace is enabled :
HTTP/1.1 501 Not Implemented
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 15 Oct 2013 12:21:33 GMT
Content-Length: 1508
Connection: close
Disabling Trace or Track on IIS
The easiest way to mitigate the risk of Trace \ Track on iis is : installing URLScan from Microsoft,
The urlscan.ini file is included as part of URLScan . This sets by default a configuration setting "UseAllowVerbs=1". In this [AllowVerbs] section of the ini file, only http methods that are allowed are GET, HEAD, and POST so simply by installing URLScan on an IIS server , we can assume that it protected from TRACE or TRACK.
