Config Files Allow Dangerous Xml Methods
Description
Detects enabled dangerous HTTP methods (DEBUG/TRACE) in XML configuration files. These methods can expose sensitive debugging information and server details to potential attackers, leading to information disclosure vulnerabilities.
Detection Strategy
• Search XML configuration files for <add> tags that configure HTTP methods
• Check if the 'verb' attribute contains 'debug' or 'trace' methods (case insensitive)
• Verify the methods are not explicitly disabled (no allowed='false' attribute)
• Report a vulnerability if dangerous methods are enabled or not explicitly disabled
Vulnerable code example
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<!-- Vulnerable: Enables dangerous DEBUG verb that could expose sensitive info -->
<add verb="DEBUG"/>
<!-- Vulnerable: Enables both DEBUG and DELETE verbs which pose security risks -->
<add verb="DEBUG,DELETE" allowed="true"/>...✅ Secure code example
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<!-- Explicitly disable dangerous verbs -->
<add verb="DEBUG" allowed="false"/> <!-- Disable DEBUG to prevent info disclosure -->
<add verb="DELETE,TRACE" allowed="false"/> <!-- Disable high-risk HTTP methods -->
</handlers>...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.