Authentication bypass via Information disclosure

Insecure configuration of the web application can lead to information disclosure vulnerability that allows an attacker to access sensitive information. During this educational video we see how an attacker can use the "TRACE" HTTP method to access sensitive information and use this information to bypass application authentication and access administrator panel.

Web Security Academy | Lab: Authentication bypass via information disclosure:
https://portswigger.net/web-security/...

The TRACE method is used for debugging and testing purposes, as it allows developers to see how a server is handling a request and to identify any issues that may be occurring. However, it also poses a security risk, as it can potentially expose sensitive information, such as authentication credentials or session IDs, to malicious actors. Therefore, in production environment the TRACE method MUST be disabled to prevent exposing sensitive information to malicious users.

NOTE: This video is made ONLY for educational purposes and to help developers and security researchers to enhance their security knowledge. Therefore, allowing them to remediate potential vulnerabilities in their OWN applications.

Twitter:   / tracethecode