Trace.axd leaks sensitive information by allowing no-signed in users to view previous requests sent to the webserver.
- Visit $URL
- Click on
View Detailsfor any request that seems interesting.
It's possible to obtain the following (but is not limited to):
- Cookies, session tokens, and CSRF tokens
- IP addresses and headers
- Application specific information (endpoints, files and directories on the filesystem, software versions, etc. )