Configuration Error Medium Allowing HTTP TRACE can permit cross-site tracing. Attackers may be able to use cross-site tracing with cross-site scripting retrieve the value of HttpOnly cookies. For Apache based servers, the TraceEnable directive can be used to disable support for HTTP TRACE. For IIS based servers, the EnableTraceMethod registry setting controls support for HTTP TRACE.. HTTP TRACE is an HTTP method that requests that the server echo the TRACE request back to the client. This includes headers that were sent along with the request. Support for HTTP TRACE can be abused in scenarios where a cross-site scripting vulnerability has been found, but cannot be exploited to retrieve cookie values because the target cookies are set with the HttpOnly flag. The HttpOnly flag instructs browsers not to permit access to the cookie by Javascript. If a cross-site scripting vulnerability is found, but the session cookie is set HttpOnly, support for HTTP TRACE will open an oppportunity for cookie theft. An attacker can use the cross-site scripting vulnerability to have the target user's browser issue a TRACE request to the server via XMLHttpRequest (or a similar function) and then retrieve the cookie from the response, which will contain the request that was sent by the browser, including cookies. IBM HTTP Server: Disabling the HTTP TRACE method Apache 2: TraceEnable Directive Windows Server 2012: WWW Service Registry Entries - EnableTraceMethod W2K3 Server: WWW Service Registry Entries - Enable TraceMethod Wikipedia: Cross-site Tracing CERT: Web servers enable HTTP TRACE method by default OWASP: Cross Site Tracing W3C: RFC 2616 - HTTP 1.1 - 9.8: TRACE