Trace.axd Information Leak

The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information.

The ASP.NET Trace Viewer exposes detailed diagnostic information including request parameters, session variables, server variables, cookies, form data, and application state for recent requests. Attackers accessing trace.axd can view sensitive data from other users' requests, including authentication tokens, passwords submitted in forms, API keys, and internal application paths. This information disclosure can reveal authentication mechanisms, session management flaws, internal system architecture, and sensitive business data. The trace viewer effectively provides a window into the application’s runtime behavior and data flow without requiring authentication in misconfigured deployments.

Consider whether or not Trace Viewer is actually required in production, if it isn’t then disable it. If it is then ensure access to it requires authentication and authorization.