This CERT Vulnerability Note crossed my mailbox recently. It’s over 3 years old, but I had never seen it before.

From the note: The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. Attackers could leverage this behavior to access sensitive information, such as cookies or authentication data, contained in the HTTP headers of the request..

I’m not really sure how much of a Real World concern this is, but heres a python script to quickly check if your website is affected.

import httplib

h = httplib.HTTPConnection("your.site.here", 80)
h.connect()
h.request("TRACE", "index.html")
res = h.getresponse()
# 405 is "more correct", but 403 will do in a pinch
if res.status != 405 or res.status != 403:
    print "FAIL! - Allowed TRACE as a method!"
else:
    print "PASS! - Denied TRACE as a method."
h.close()