Professional Documents
Culture Documents
How To Disable HTTP Trace
How To Disable HTTP Trace
The TRACE and TRACK protocols are HTTP methods used in the debugging of webserer connections!
Although these methods are useful for legitimate purposes" the# ma# compromise the securit# of #our
serer b# enabling cross$site scripting attacks %&'T(! )# e*ploiting certain browser ulnerabilities" an
attacker ma# manipulate the TRACE and TRACK methods to intercept #our isitors+ sensitie data! The
solution for this is to disable these methods on #our webserer!
)# default this method is enabled in Apache!
Verification
Here is an e*ample on how to check #our webserer if HTTP TRACE is enabled!
,root-cluster. /01 telnet 2.3!4!4!2 54
Tr#ing 2.3!4!4!2!!!
Connected to 2.3!4!4!2!
Escape character is 6706!
TRACE 8 HTTP82!2
Host9 2.3!4!4!2
Here Press E:TER twice;
HTTP82!2 .44 <K
=ate9 'at" 22 >a# .42? 2@9@A9BC D>T
'erer9 Apache8.!.!? %Red Hat(
Connection9 close
Transfer$Encoding9 chunked
Content$T#pe9 message8http
.B
TRACE 8 HTTP82!2
Host9 2.3!4!4!2
4
Connection closed b# foreign host!
To disable TRACE and TRACK HTTP methods on #our Apache$powered webserer" add the following
directies to #our main configuration file 8etc8httpd8conf8httpd!conf
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRCE!TRC"#
RewriteR$%e &' ( )*+
These directies disable the TRACE and TRACK methods ia the following process9
RewriteEngine on E enables Apache+s rewrite module %this directie is not reFuired if alread# present in
#our htaccess file(
RewriteCond %{REQUEST_METHOD} ^(TRCE!TRC"# E targets all TRACE and TRACK reFuest
methods for the following rule
RewriteR$%e &' ( )*+ E return a @4? Gorbidden error response for all matched conditions %i!e!" all TRACE
and TRACK methods(
Hith these rules in place" #our site is protected against one more potential securit# ulnerabilit#
'o add these ? lines as shown below9
, -i. /etc/0tt1d/conf/0tt1d&conf
2Virt$a%Ho3t www&e4a.1%e&co.5
&&&
, di3a6%e TRCE in t0e www&e4a.1%e&co. -irt$a% 0o3t
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRCE!TRC"#
RewriteR$%e &' ( )*+
2/Virt$a%Ho3t5
Sa-e 7 E4it
8ote9
If #ou hae : number of Jirtual Hosts configured" Then #ou need to do the same for all Jirtual Hosts!
.od_rewrite .$3t 6e acti-e for t0e3e directi-e3 to 6e acce1ted&
:ow restart #our apache serice /etc/init&d/0tt1d re3tart
Here is an e*ample on how to check #our webserer if HTTP TRACE is disabled9
,root-cluster. /01 telnet 2.3!4!4!2 54
Tr#ing 2.3!4!4!2!!!
Connected to localhost!localdomain %2.3!4!4!2(!
Escape character is 6706!
TRACE 8 HTTP82!2
Host9 2.3!4!4!2
Here Press E:TER twice;
HTTP82!2 @4? Gorbidden
=ate9 'at" 22 >a# .42? 2B9459BC D>T
'erer9 Apache8.!.!? %Red Hat(
Accept$Ranges9 b#tes
Content$Kength9 ?C5B
Connection9 close
Also erif# the apache access log file9
:efore TRCE di3a6%e9
2.3!4!4!2 $ $ ,228>a#8.42?9439?29@C $43440 LTRCE / HTT;/<&<= >?? ?3 L$L L$L
fter TRCE di3a6%e
2.3!4!4!2 $ $ ,228>a#8.42?94594@9B2 $43440 LTRCE / HTT;/<&<= @?A ?C5B
'o :ow #our site is protected against one more potential securit# ulnerabilit#!!!!!! 9(