Page cover
Edit

Web Reconnaissance

Check-List
TRACE Method

Checking for Cross-Site Tracing (XST) – Bypassing HttpOnly Cookies

  • If TRACE is enabled and the response reflects cookies, an attacker can bypass the HttpOnly flag.

  • Normally, HttpOnly prevents JavaScript from accessing cookies, but TRACE can leak them if not properly restricted.

POC
curl -X TRACE https://target.com -H "Test: XST"

  • If the response includes the custom header, TRACE is enabled.

  • If it leaks Set-Cookie headers, it’s a serious security issue.

  • Bug Bounty Impact: Session Hijacking

Finding Internal Headers & Debug Info

Some servers return sensitive internal headers when TRACE is enabled, such as:

  • X-Forwarded-For --> Real client IP leak.

  • X-Backend-Server --> Internal server exposure.

  • Via --> Reveals proxy setup.

POC
curl -X TRACE https://target.com

  • Look for unusual headers in the response.

  • Bug Bounty Impact: Information Disclosure

Finding WAF / Security Device Bypasses

  • Some WAFs don’t inspect TRACE requests properly.

  • You can use TRACE to test whether WAF protections apply to certain endpoints.

POC
curl -X TRACE https://target.com/index.php --data "payload=<script>alert(1)</script>"

If TRACE reflects the payload, but normal requests are blocked, the WAF is bypassable.

Checking for Cross-Origin Attacks

  • If TRACE is enabled, it might allow same-origin policy (SOP) bypasses.

  • Some older browsers or misconfigured CORS setups can be exploited if TRACE echoes requests cross-origin.

Bypass User-Agent filtering

  • Use HTTPBin to check the User-Agent from any client.

  • Experiment with those User-Agent: 

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Edg/123.0.2420.81
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15
Mozilla/5.0 (Macintosh; Intel Mac OS X 14_4_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 OPR/109.0.0.0
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
Mozilla/5.0 (X11; Linux i686; rv:124.0) Gecko/20100101 Firefox/124.0
Ruby Configuration Files

Worth to read the documentation

Look for this files
config/application.rb
config/database.yml
PreviousMongoDBNextFinalRecon

Last updated