Question 327252 in Azure Question posted in
The official documentation to get you started can be found here.

Azure – ASP.NET Core Web API disabled trace request

I have this VAPT comment to be resolved.

I need to disable trace option from APIs.

http methods:

|   Supported Methods: OPTIONS TRACE GET HEAD POST 
|_  Potentially risky methods: TRACE

Tried to disable from appSettings.json changing the log level information like this:

"Logging": {
 "LogLevel": {
   "Default": "Trace",
   "Microsoft.AspNetCore.Hosting.Internal.WebHost": "None",
   "Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker": "None",
 }
}
Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Added below code in startup file of .NET core, it solved the issue

     app.Use(async (context, next) =>
        {               
            if (string.Equals(context.Request.Method, "TRACE", StringComparison.OrdinalIgnoreCase))
            {
                context.Response.StatusCode = StatusCodes.Status405MethodNotAllowed;
            }
            else
            {
                await next();
            }
        });

  2. 0

    If you are using Azure web apps and IIS to host your asp.net core web API application, I suggest you could modify the published web.config as below:

    <?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>
        <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      <aspNetCore processPath="dotnet" arguments=".Core7Test.dll" stdoutLogEnabled="false" stdoutLogFile=".logsstdout" hostingModel="inprocess" />
    </system.webServer>
  </location>
    <system.webServer>
        <security>
            <requestFiltering>
                <verbs>
                    <add verb="Trace" allowed="false" />
                </verbs>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

    Then when you send the trace method, it will not return any value to the client.

    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search