H
hridaydutta
The HTTP TRACE method vulnerability, identified as CVE-2022-38115, is a critical security concern within Internet Information Services. This vulnerability allows attackers to exploit the HTTP TRACE method, which can be misused for Cross-Site Scripting (XSS) attacks. Such attacks can enable malicious actors to intercept and manipulate user data, potentially leading to unauthorized access, data breaches, and other security incidents.
Identify the issue
To diagnose the issue, open your PowerShell console and run the following command to check if the server is responding to the TRACE method.
Invoke-WebRequest -Uri http://<your_address>:<port> -Method TRACE -Verbose
You can also use curl command to identify the same.
curl -v -X TRACE http://<your_address>:<port>
In both scenarios, the server responded with a status code 200 for the TRACE method. This confirms that the site is vulnerable and can be identified as CVE-2022-38115.
Solution
There are many ways to remediate the vulnerability. You can follow any of the methods outlined below for remediation.
Request Filtering
You can use the built-in IIS feature, Request Filtering. Open IIS Manager, navigate to your site, and then open the "Request Filtering" module. From there, go to the HTTP Verbs section.
In the right-hand Actions pane, click on "Deny Verb." The Deny Verb popup window will appear. Enter "TRACE" as the Verb and click OK, as shown in the picture. Then, restart the Application Pool or IIS to apply the settings.
You can achieve the same result by modifying your web.config file. To do this, locate the web.config file in the root directory of your web application and add the following configuration under the <system.webServer> tag.
To test the changes, try accessing the URL using the TRACE method. You should receive a 404.6 Not Found error.
Registry settings
You can also address the vulnerability by updating the registry settings. Open the Registry Editor and navigate to "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters".
Set the DWORD EnableTraceMethod value to 0. For more information about the EnableTraceMethod value, you can refer to the article Use registry keys - Internet Information Services | Microsoft Learn. After making this change, restart IIS for it to take effect. To test, access the URL using the TRACE method; you should receive a 501 - Not Implemented status code.
Continue reading...
Identify the issue
To diagnose the issue, open your PowerShell console and run the following command to check if the server is responding to the TRACE method.
Invoke-WebRequest -Uri http://<your_address>:<port> -Method TRACE -Verbose
You can also use curl command to identify the same.
curl -v -X TRACE http://<your_address>:<port>
In both scenarios, the server responded with a status code 200 for the TRACE method. This confirms that the site is vulnerable and can be identified as CVE-2022-38115.
Solution
There are many ways to remediate the vulnerability. You can follow any of the methods outlined below for remediation.
Request Filtering
You can use the built-in IIS feature, Request Filtering. Open IIS Manager, navigate to your site, and then open the "Request Filtering" module. From there, go to the HTTP Verbs section.
In the right-hand Actions pane, click on "Deny Verb." The Deny Verb popup window will appear. Enter "TRACE" as the Verb and click OK, as shown in the picture. Then, restart the Application Pool or IIS to apply the settings.
You can achieve the same result by modifying your web.config file. To do this, locate the web.config file in the root directory of your web application and add the following configuration under the <system.webServer> tag.
| <system.webServer> <security> <requestFiltering> <verbs> <remove verb="TRACE" /> </verbs> </requestFiltering> </security> </system.webServer> |
To test the changes, try accessing the URL using the TRACE method. You should receive a 404.6 Not Found error.
Registry settings
You can also address the vulnerability by updating the registry settings. Open the Registry Editor and navigate to "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters".
Set the DWORD EnableTraceMethod value to 0. For more information about the EnableTraceMethod value, you can refer to the article Use registry keys - Internet Information Services | Microsoft Learn. After making this change, restart IIS for it to take effect. To test, access the URL using the TRACE method; you should receive a 501 - Not Implemented status code.
Continue reading...