Posted August 23Aug 23 The HTTP TRACE method vulnerability, identified as CVE-2022-38115, is a critical security concern for public facing website. This vulnerability allows attackers to exploit the HTTP TRACE method, which can be misused for Cross-Site Scripting (XSS) attacks. Such attacks can enable malicious actors to intercept and manipulate user data, potentially leading to unauthorized access, data breaches, and other security incidents. Identify the issue To diagnose the issue, open your PowerShell console and run the following command to check if the server is responding to the TRACE method. Invoke-WebRequest -Uri http://<your_address>:<port> -Method TRACE -Verbose [ATTACH type=full" alt="hridaydutta_0-1724407988402.png]63685[/ATTACH] You can also use curl command to identify the same. curl -v -X TRACE http://<your_address>:<port> [ATTACH type=full" alt="hridaydutta_1-1724408031225.png]63686[/ATTACH] In both scenarios, the server responded with a status code 200 for the TRACE method. This confirms that the site is vulnerable and can be identified as CVE-2022-38115. Solution There are many ways to remediate the vulnerability. You can follow any of the methods outlined below for remediation. Request Filtering You can use the built-in IIS feature, Request Filtering. Open IIS Manager, navigate to your site, and then open the "Request Filtering" module. From there, go to the HTTP Verbs section. [ATTACH type=full" alt="hridaydutta_2-1724408087345.png]63687[/ATTACH][ATTACH type=full" alt="hridaydutta_3-1724408093729.png]63688[/ATTACH] In the right-hand Actions pane, click on "Deny Verb." The Deny Verb popup window will appear. Enter "TRACE" as the Verb and click OK, as shown in the picture. Then, restart the Application Pool or IIS to apply the settings. You can achieve the same result by modifying your web.config file. To do this, locate the web.config file in the root directory of your web application and add the following configuration under the <system.webServer> tag. <system.webServer> <security> <requestFiltering> <verbs> <remove verb="TRACE" /> </verbs> </requestFiltering> </security> </system.webServer> To test the changes, try accessing the URL using the TRACE method. You should receive a 404.6 Not Found error. [ATTACH type=full" alt="hridaydutta_4-1724408228873.png]63689[/ATTACH] Registry settings You can also address the vulnerability by updating the registry settings. Open the Registry Editor and navigate to "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters". [ATTACH type=full" alt="hridaydutta_5-1724408259223.png]63690[/ATTACH] Take a backup of your registry before doing any update. Set the DWORD EnableTraceMethod value to 0. For more information about the EnableTraceMethod value, you can refer to the article Use registry keys - Internet Information Services | Microsoft Learn. After making this change, restart IIS for it to take effect. To test, access the URL using the TRACE method; you should receive a 501 - Not Implemented status code. [ATTACH type=full" alt="hridaydutta_6-1724408305477.png]63691[/ATTACH] Continue reading...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.