IIS: Remediation steps for insecure HTTP TRACE Method and XSS vulnerability.

  • Thread starter Thread starter hridaydutta
  • Start date Start date
H

hridaydutta

The HTTP TRACE method vulnerability, identified as CVE-2022-38115, is a critical security concern for public facing website. This vulnerability allows attackers to exploit the HTTP TRACE method, which can be misused for Cross-Site Scripting (XSS) attacks. Such attacks can enable malicious actors to intercept and manipulate user data, potentially leading to unauthorized access, data breaches, and other security incidents.



Identify the issue



To diagnose the issue, open your PowerShell console and run the following command to check if the server is responding to the TRACE method.

Invoke-WebRequest -Uri http://<your_address>:<port> -Method TRACE -Verbose



hridaydutta_0-1724407988402.png



You can also use curl command to identify the same.

curl -v -X TRACE http://<your_address>:<port>



hridaydutta_1-1724408031225.png



In both scenarios, the server responded with a status code 200 for the TRACE method. This confirms that the site is vulnerable and can be identified as CVE-2022-38115.



Solution



There are many ways to remediate the vulnerability. You can follow any of the methods outlined below for remediation.



Request Filtering



You can use the built-in IIS feature, Request Filtering. Open IIS Manager, navigate to your site, and then open the "Request Filtering" module. From there, go to the HTTP Verbs section.



hridaydutta_2-1724408087345.pnghridaydutta_3-1724408093729.png



In the right-hand Actions pane, click on "Deny Verb." The Deny Verb popup window will appear. Enter "TRACE" as the Verb and click OK, as shown in the picture. Then, restart the Application Pool or IIS to apply the settings.



You can achieve the same result by modifying your web.config file. To do this, locate the web.config file in the root directory of your web application and add the following configuration under the <system.webServer> tag.



<system.webServer>
<security>
<requestFiltering>
<verbs>
<remove verb="TRACE" />
</verbs>
</requestFiltering>
</security>
</system.webServer>



To test the changes, try accessing the URL using the TRACE method. You should receive a 404.6 Not Found error.



hridaydutta_4-1724408228873.png



Registry settings



You can also address the vulnerability by updating the registry settings. Open the Registry Editor and navigate to "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters".



hridaydutta_5-1724408259223.png



Take a backup of your registry before doing any update. Set the DWORD EnableTraceMethod value to 0. For more information about the EnableTraceMethod value, you can refer to the article Use registry keys - Internet Information Services | Microsoft Learn.

After making this change, restart IIS for it to take effect. To test, access the URL using the TRACE method; you should receive a 501 - Not Implemented status code.



hridaydutta_6-1724408305477.png

Continue reading...
 
Back
Top