Exploring Non-Standard HTTP Methods: TRACK and TRACE for Penetration Testing

Listen to this Post

Featured Image
When using tools like Burp Suite or OWASP ZAP, tracking non-standard HTTP methods like TRACK can reveal valuable insights during penetration testing. For example:

TRACK / HTTP/1.1 
Host: example.com 
User-Agent: Googlebot 

A 502 Bad Gateway response suggests:

  • The request reached a reverse proxy (e.g., Apache, Cloudflare).
  • The backend server or an inline device (WAF, load balancer) rejected the method.
  • The gateway failed to handle the response properly.

You Should Know:

Testing Non-Standard Methods

1. Common HTTP Methods:

  • Standard: GET, POST, HEAD, `OPTIONS`
  • Non-Standard: PUT, PATCH, DELETE, CONNECT, TRACE, `TRACK`

2. Testing with cURL:

curl -X TRACE http://example.com -H "User-Agent: Googlebot" 
curl -X TRACK http://example.com -I 

3. Burp Suite Repeater:

  • Send manual requests with unusual methods (TRACK, TRACE, MKCOL).
  • Check for reflected headers or unexpected responses.

4. Response Code Analysis:

– `1xx` (Informational)
– `2xx` (Success)
– `3xx` (Redirection)
– `4xx` (Client Error)
– `5xx` (Server Error, e.g., 502 Bad Gateway)

5. Exploiting TRACE/TRACK:

  • If enabled, these methods may allow Cross-Site Tracing (XST), leaking sensitive headers or cookies.
  • Test with:
    TRACE / HTTP/1.1 
    Host: vuln-site.com 
    Cookie: session=malicious-test 
    

6. Automated Scanning with Nmap:

nmap --script http-methods --script-args http-methods.url-path=/target/ target.com 

7. WAF Bypass Attempts:

  • Some WAFs filter standard methods but miss non-standard ones.
  • Try `TRACK` or `ARBITRARY` methods to bypass restrictions.

What Undercode Say:

Non-standard HTTP methods like TRACK and TRACE can reveal misconfigurations in proxies, load balancers, or backend servers. While a 502 error doesn’t confirm a vulnerability, it indicates unusual behavior worth deeper inspection. Always test for header reflection, WAF bypasses, and potential XST flaws.

Expected Output:

  • 502 Bad Gateway → Investigate proxy/gateway behavior.
  • 200 OK on TRACE/TRACK → Check for header leakage.
  • Unsupported Method (405) → Move to other attack vectors.

Prediction:

As web infrastructures evolve, misconfigured HTTP methods will remain a key entry point for attackers. Automated scanners may soon incorporate deeper TRACK/TRACE analysis to uncover hidden vulnerabilities.

URLs for further reading:

References:

Reported By: Activity 7331880409724502016 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram