HTTP Verb Allowed


The customer might report the following as a Vulnerability:

  • ASP.NET tracing is a debugging feature that is designed for use during development to help troubleshoot problems. It discloses sensitive information to users, and, if enabled in production contexts, it may present a serious security threat.
  • Application-level tracing enables any user to retrieve full details about recent requests to the application, including those of other users. This information typically includes session tokens and request parameters, which may enable an attacker to compromise other users and even take control of the entire application.
  • Page-level tracing returns the same information but relating only to the current request. This may still contain sensitive data in session and server variables that would be of use to an attacker.


This article provides a resolution for this vulnerability.




Access to the host server/access to the superuser account.


All requests in IIS are handled by modules. The OPTIONS requests are handled by the ProtocolSupportModule, which is not essential.

If we remove that module, the server does not respond to the OPTIONS request anymore, which you still want to support. So we have to use another module to answer those.

  1. Open %SystemRoot%\System32\inetsrv\config\applicationHost.config
  2. Search for OPTIONSVerbHandler comment that line and while you are at it, the one above (TRACEVerbHandler) as well.
  3. Now add a new node:
<add name="MyOPTIONSVerbHandler" path="*" verb="OPTIONS" modules="StaticFileModule" requireAccess="None" />

The whole block should look like this:

    <!--  <add name="TRACEVerbHandler" path="*" verb="TRACE" modules="ProtocolSupportModule" requireAccess="None" /> 
<add name="OPTIONSVerbHandler" path="*" verb="OPTIONS" modules="ProtocolSupportModule" requireAccess="None" /> -->
<add name="MyOPTIONSVerbHandler" path="*" verb="OPTIONS" modules="StaticFileModule" requireAccess="None" />

Now the staticFileModule will process the OPTIONS requests but it will not return any content.
If you now make a OPTIONS request to the server, you will not get an Allow nor a Public header. But you can add them easily in web.config

<add name="Allow" value="GET,POST,HEAD" />
<add name="Public" value="GET,POST,HEAD" />



Please sign in to leave a comment.