1

SCENARIO:

I'm testing a web application. To test if TRACE is enabled I used both

nmap --script http-methods target.com

and

curl  -k -i -X OPTIONS target.com

After running the former I get

443/tcp open  https
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE

with the latter I get

Allow: TRACE ...
Public: TRACE ..

So I guess TRACE should work. But when I run

curl  -k -i -X TRACE target.com

I get

HTTP/1.1 405 Not Allowed
Server: Microsoft-Azure-Application-Gateway/v2
...

Which is not what I was expecting.

QUESTION:

why TRACE is blocked? is because of Azure or what?

Maicake
  • 497
  • 1
  • 3
  • 13
  • *"is because of Azure or what?"* - given that the response contains *"Server: Microsoft-Azure-Application-Gateway/v2"* this is likely the case. – Steffen Ullrich Oct 29 '20 at 16:22

1 Answers1

1

It looks like a false positive, according to the documentation (https://nmap.org/nsedoc/scripts/http-methods.html) this script works by sending an OPTIONS:

Finds out what options are supported by an HTTP server by sending an OPTIONS request. Lists potentially risky methods. It tests those methods not mentioned in the OPTIONS headers individually and sees if they are implemented. Any output other than 501/405 suggests that the method is if not in the range 400 to 600.

The methods listed in response to the OPTIONS request may not actually be supported or may be handled as a GET method. If OPTIONS request returns TRACE, nmap script does not verify this, just prints as a supported method.

You should manually verify every potentially risky method (PUT, DELETE, CONNECT, TRACE) which is returned by OPTIONS request. If response is 405 Not Allowed than method is not supported and there is no security risk.

user187205
  • 1,163
  • 3
  • 15
  • 24