1.8 KiB
1.8 KiB
Vulnerable Application
This module checks if the host(s) is(are) vulnerable to Cross-Site Tracing (XST). The module does more than just check for the HTTP Trace method, and actually attempts a trace request to verify that XST is possible.
Setting up Web Servers with the TRACE Method
This link describes how
to disable the HTTP TRACE method. In order to enable it, simply follow the opposite of
these instructions (e.g. set TraceEnable to on for Apache).
Verification Steps
- Start
msfconsole use auxiliary/scanner/http/traceset RHOSTS [ip]set RPORT [port]run- Check output for presence of XST
Options
Scenarios
You can use this module on a single target or several targets. See below for single target usage:
msf6 > use auxiliary/scanner/http/trace
msf6 auxiliary(scanner/http/trace) > set RHOSTS YYY.YY.YYY.YYY
RHOSTS => YYY.YY.YYY.YYY
msf6 auxiliary(scanner/http/trace) > set RPORT 443
RPORT => 443
msf6 auxiliary(scanner/http/trace) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 auxiliary(scanner/http/trace) > run
[+] YYY.YY.YYY.YYY:443 is vulnerable to Cross-Site Tracing
Confirming with Nmap
nmap -sV -Pn [ip] --script=http-trace -p 443
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-21 20:30 EDT
Nmap scan report for www.hphc.org ([ip])
Host is up (0.029s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-trace: TRACE is enabled
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.53 seconds