I've been doing some reading concerning different ways to test applications, and more specifically, web applications. The last couple of books have mentioned cross-site tracing, and how to test to see if the server could be vulnerable. We use WebInspect on many of our tests, and I know I have seen the vulnerability come up. But that got me thinking: where does DISA./DoD talk about configuring the web server to turn off TRACE? I looked through the Apache STIG (both 1.3.x and 2.x) and the IIS STIG (both IIS 5 and 6.) I did not find any mention of the TRACE verb and how the server should be configured in the DoD's eyes. Further, I looked in the Application Security and Development STIG, and I did not see a finding/check in that STIG either. (I did not expect to, since the finding really is a function of the server, and not the application.)
The closest the Application Security and Development STIG comes is a discussion in the finding for cross-site scripting. There are three checks within the cross-site scripting finding that deal directly with cross-site scripting. The fourth check specifically discusses the HttpOnly flag being set on cookies. However, what makes cross-site tracing a bigger risk is that it has the ability to read/steal/reveal cookies even if the cookies have the HttpOnly flag set.
A great paper on the attack is here.
So, am I missing something in a STIG or checklist? Or, is there really no guidance on web servers for the TRACE verb?