tenable:11213 · HTTP TRACE / TRACK Methods Allowed

01 · The Real Story

This is a service hatch left unlocked, but you still need a second break-in tool to reach anything valuable

Tenable plugin 11213 is not a software-version bug so much as a web-tier configuration finding: the server answers HTTP TRACE and/or IIS TRACK requests. Any stack that reflects the request body or headers back to the client can trigger it if the method is enabled, which means the affected range is effectively any web server, proxy, or application tier that still permits these methods rather than a neat product/version list.

The vendor's MEDIUM label is too generous for enterprise patch triage. TRACE by itself does not execute code, bypass auth, or dump data; it is mostly an attack amplifier for a second flaw such as same-origin XSS or a proxy desync/smuggling condition. Modern browsers also treat TRACE as a forbidden method, which kills the classic cross-site tracing path in many real deployments, so this belongs in backlog hardening, not in front of exploitable edge RCEs.

"TRACE/TACK enabled is a hardening miss, not a patch fire, unless you can chain it with XSS or proxy desync."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Confirm method support with curl or nmap

The attacker first checks whether the target actually accepts TRACE or TRACK, usually with curl -X TRACE or an http-methods style probe. If the server reflects the request line or custom headers, the finding is real; if OPTIONS merely advertises it but the live request gets 405 or 501, the scanner result is a false positive in practice.

Conditions required:

Network reachability to the HTTP(S) service
The edge, reverse proxy, or origin must truly accept TRACE or TRACK

Where this breaks in practice:

Many modern stacks block TRACE outright
Some scanners key off OPTIONS or Allow headers and over-report

Detection/coverage: Nessus plugin 11213 is a network check and catches exposed responders, but you should manually verify with a live TRACE request because advertised methods and actually executable methods often differ.

STEP 02

Acquire a second primitive: XSS or desync

A useful exploit almost always needs another bug. The classic path is cross-site tracing (XST): combine same-origin XSS with TRACE so the reflected request exposes cookies or headers; the newer path is to combine TRACE with HTTP request smuggling/desync research to reveal header rewriting and build cache-poisoning or response-smuggling chains.

Conditions required:

A working XSS flaw in the same origin, or a request smuggling/desync condition in the proxy path
The application carries valuable auth tokens or headers on the same path

Where this breaks in practice:

Modern browsers forbid TRACE, which sharply reduces classic XST viability
Proxy desync is a specialist chain, not commodity spray-and-pray exploitation

Detection/coverage: Static vuln scanners may find the XSS half; request smuggling/desync usually needs Burp or targeted protocol testing and is rarely covered well by generic VM scans.

STEP 03

Reflect request metadata back from the server

Once chained, the attacker sends a crafted TRACE request containing marker headers, cookies, or poisoned header state. The server replies with a message/http body that shows what arrived at the far end, including intermediary-added headers such as X-Forwarded-For, auth material, or other routing clues.

Conditions required:

The request must traverse the same proxy/application path as the victim traffic
The server must echo enough of the request to be useful

Where this breaks in practice:

Some servers strip sensitive headers before reflection
Segmentation of auth domains and cookie scoping can limit what is exposed

Detection/coverage: Look for TRACE in access logs, WAF logs, or reverse-proxy method telemetry; many orgs never baseline rare verbs, so this often lands as noisy but low-volume outlier traffic.

STEP 04

Turn reflection into session theft or chain tuning

If the reflected data includes usable session material, the attacker pivots into the victim account; otherwise the response still helps tune a desync or cache-poisoning exploit by showing exact backend normalization and proxy-added headers. The practical impact is therefore highly dependent on another weakness already being present.

Conditions required:

Usable session tokens, bearer headers, or exploitable proxy behavior
The target app must trust the reflected or leaked material

Where this breaks in practice:

HttpOnly, SameSite, origin isolation, and MFA reduce the value of stolen browser state
Without the chained bug, TRACE is just recon and hardening debt

Detection/coverage: EDR does not help here; web logs, WAF method rules, and reverse-proxy telemetry are the meaningful controls.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No standalone known exploited signal found. As of 2026-02-12, this finding is not listed in CISA KEV, and I found no credible evidence of broad campaigns targeting `TRACE` alone.
Proof-of-concept availability	Public techniques exist, but almost all are chained: OWASP documents classic XST, and PortSwigger published TRACE desync research showing modern exploitation when combined with request smuggling.
EPSS	N/A for this plugin finding. `11213` is a generic misconfiguration check, not a single CVE with a stable EPSS entry.
KEV status	Absent from KEV as of 2026-02-12. That matters because there is no strong exploitation pressure signal telling you to jump this ahead of actually exploited perimeter bugs.
Vendor view	Tenable labels Nessus plugin `11213` as Medium, while Tenable's web-app plugin `98048` explicitly says `TRACE` is not vulnerable by itself and scores it Low there. That split is a clue that the real risk is contextual, not intrinsic.
CVSS / severity interpretation	No public CVSS vector was visible on the Nessus `11213` changelog page I checked. Operationally, the impact is usually confidentiality-adjacent only when chained, with negligible direct integrity or availability impact.
Affected range	Broad but shallow: any web tier that still responds to `TRACE` or `TRACK`. Apache documents `TraceEnable on` as the default behavior unless disabled; IIS can explicitly deny verbs via Request Filtering.
Fixed version / patch reality	Usually no product patch is required. This is commonly resolved by configuration: Apache `TraceEnable off`; IIS deny `TRACE`/`TRACK` verbs; some stacks like nginx generally do not support `TRACE` by default.
Scanner / exposure quality	Treat network findings carefully. Real-world ops teams regularly see scanners report `TRACE` because it appears in `OPTIONS` or `Allow`, while an actual `TRACE` request returns `405` or `501`; manual validation is mandatory.
Disclosure lineage	The issue class is old: CERT and XST research date back to the early 2000s, and the technique has been repeatedly revived in niche chains rather than as a mainstream initial-access bug.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (2.9/10)

The decisive factor is that useful exploitation almost always requires a second bug, typically same-origin XSS or a proxy desync primitive, so this is not a stand-alone break-in path. Modern browsers also block TRACE, which crushes the classic XST route across a large fraction of real enterprise user traffic.

HIGH Standalone severity is low for patch prioritization

MEDIUM A specific internet-facing app could justify a higher local priority if paired with proven XSS or desync exposure

Why this verdict

Downgrade for attacker position: unauthenticated remote reachability is easy, but the next prerequisite usually implies another vulnerability already exists. Requiring XSS or desync means this is not a true one-step compromise.
Downgrade for exposure reality: the classic XST path depends on browser behavior that modern platforms largely block because TRACE is a forbidden method. That sharply narrows the reachable population compared with what a raw web-scan count suggests.
Keep it above IGNORE: TRACE still leaks request-path behavior to non-browser clients and can materially help niche proxy-smuggling chains. On internet-facing apps with brittle proxies, it remains worth cleaning up as hardening debt.

Why not higher?

There is no direct code execution, auth bypass, or data dump here in isolation. A high-severity score would overstate the real enterprise risk because the attack chain usually depends on a prior app-layer flaw or advanced proxy behavior that should be scored separately.

Why not lower?

It is not pure noise: a server that truly reflects TRACE is exposing unnecessary attack surface and can leak request metadata. In edge cases involving legacy browsers, internal tooling, or request-desync conditions, the method meaningfully amplifies another weakness, so LOW is the floor I would use rather than IGNORE.

05 · Compensating Control

What to do — in priority order.

Disable TRACE and TRACK at the edge and origin — Block the verbs on the load balancer, reverse proxy, WAF, and origin server so a single drifted tier does not re-expose them. Because this is a LOW finding, there is no formal SLA; handle it as backlog hardening in the next normal web-tier change window.
Validate with live requests, not just scanner output — Retest every exposed hostname with an actual TRACE request and confirm you receive 403, 405, or 501 rather than a reflected body. Do this before closing tickets because false positives from OPTIONS/Allow behavior are common.
Prioritize paired app findings on the same host — If the same application also has confirmed XSS, request smuggling, or cache poisoning exposure, promote the combined case locally even though this plugin alone stays LOW. There is no separate mitigation SLA for LOW, but the chained vulnerability should inherit the higher-risk item's deadline.
Alert on rare HTTP verbs — Create detections for TRACE, TRACK, CONNECT, and other uncommon methods at the reverse proxy or WAF. This is cheap visibility and helps catch both probing and accidental reintroduction during config drift.

What doesn't work

HttpOnly alone is not enough; it helps against cookie theft, but it does not remove the reflected-method behavior and does nothing for proxy-desync tuning or non-cookie headers.
Relying on modern browser restrictions alone is incomplete; non-browser clients, internal tools, and server-side smuggling chains are not bound by Fetch's forbidden-method rules.
Closing the ticket because OPTIONS no longer lists TRACE is weak validation; the only answer that matters is what a real TRACE request returns.

06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or CI runner that can reach the target URL over the same path your users hit. Invoke it as bash trace_check.sh https://app.example.com with no special privileges; it uses curl to test live TRACE and TRACK behavior and prints VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# trace_check.sh
# Verify whether a web endpoint allows HTTP TRACE or TRACK.
# Usage: bash trace_check.sh https://app.example.com
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / usage / network failure

set -u

URL="${1:-}"
if [[ -z "$URL" ]]; then
  echo "UNKNOWN - usage: bash trace_check.sh https://host.example" >&2
  exit 2
fi

if ! command -v curl >/dev/null 2>&1; then
  echo "UNKNOWN - curl not found" >&2
  exit 2
fi

MARKER="noisgate-trace-check-$(date +%s)"
TMPDIR="$(mktemp -d 2>/dev/null || mktemp -d -t noisgate-trace)"
trap 'rm -rf "$TMPDIR"' EXIT

check_method() {
  local method="$1"
  local hdr="$TMPDIR/${method}.headers"
  local body="$TMPDIR/${method}.body"

  curl -ksS -o "$body" -D "$hdr" \
    -X "$method" \
    -H "User-Agent: noisgate-trace-check/1.0" \
    -H "X-Noisgate-Test: $MARKER" \
    --max-time 15 \
    "$URL" >/dev/null 2>&1
  local rc=$?
  if [[ $rc -ne 0 ]]; then
    return 20
  fi

  local status
  status="$(awk 'toupper($1) ~ /^HTTP\// {code=$2} END{print code}' "$hdr")"
  [[ -z "$status" ]] && return 21

  # Strong vulnerable signal: success plus reflected marker or request line.
  if [[ "$status" =~ ^2[0-9][0-9]$ ]] && \
     (grep -qi "$MARKER" "$body" || grep -qi "^${method}[[:space:]]" "$body"); then
    return 10
  fi

  # Some stacks return 200 with empty/non-reflective body; still suspicious.
  if [[ "$status" =~ ^2[0-9][0-9]$ ]]; then
    return 11
  fi

  # Typical blocked responses.
  if [[ "$status" == "403" || "$status" == "405" || "$status" == "501" ]]; then
    return 0
  fi

  # Anything else is ambiguous and needs human review.
  return 21
}

vuln=0
unknown=0
notes=()
for method in TRACE TRACK; do
  check_method "$method"
  rc=$?
  case "$rc" in
    10)
      vuln=1
      notes+=("$method reflected request data")
      ;;
    11)
      vuln=1
      notes+=("$method returned 2xx")
      ;;
    0)
      notes+=("$method blocked")
      ;;
    20|21)
      unknown=1
      notes+=("$method ambiguous")
      ;;
  esac
done

if [[ $vuln -eq 1 ]]; then
  echo "VULNERABLE - ${notes[*]}"
  exit 1
fi

if [[ $unknown -eq 1 ]]; then
  echo "UNKNOWN - ${notes[*]}"
  exit 2
fi

echo "PATCHED - ${notes[*]}"
exit 0

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: do not let plugin 11213 jump ahead of exploitable edge bugs, but do clean it up as standard web hardening. For a LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA beyond backlog hygiene, so validate the finding with a live TRACE request now, suppress false positives, and fold real exposures into your next normal reverse-proxy/origin configuration cycle; only fast-track it if the same host also has confirmed XSS or request-smuggling exposure.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.