documentation/modules/auxiliary/scanner/http/trace.md
This module checks if the host(s) is(are) vulnerable to Cross-Site Tracing (XST). The module does more than just check for the HTTP Trace method, and actually attempts a trace request to verify that XST is possible.
This link describes how
to disable the HTTP TRACE method. In order to enable it, simply follow the opposite of
these instructions (e.g. set TraceEnable to on for Apache).
msfconsoleuse auxiliary/scanner/http/traceset RHOSTS [ip]set RPORT [port]runYou can use this module on a single target or several targets. See below for single target usage:
msf > use auxiliary/scanner/http/trace
msf auxiliary(scanner/http/trace) > set RHOSTS YYY.YY.YYY.YYY
RHOSTS => YYY.YY.YYY.YYY
msf auxiliary(scanner/http/trace) > set RPORT 443
RPORT => 443
msf auxiliary(scanner/http/trace) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf auxiliary(scanner/http/trace) > run
[+] YYY.YY.YYY.YYY:443 is vulnerable to Cross-Site Tracing
nmap -sV -Pn [ip] --script=http-trace -p 443
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-21 20:30 EDT
Nmap scan report for www.hphc.org ([ip])
Host is up (0.029s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http Apache httpd
|_http-server-header: Apache
|_http-trace: TRACE is enabled
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.53 seconds