How to disable HTTP Trace & Track methods?

The TRACE and TRACK protocols are HTTP methods used in the debugging of webserer connections!
Although these methods are useful for legitimate purposes" the# ma# compromise the securit# of #our
serer b# enabling cross$site scripting attacks %&'T(! )# e*ploiting certain browser ulnerabilities" an
attacker ma# manipulate the TRACE and TRACK methods to intercept #our isitors+ sensitie data! The
solution for this is to disable these methods on #our webserer!
)# default this method is enabled in Apache!
Verification
Here is an e*ample on how to check #our webserer if HTTP TRACE is enabled!
,root-cluster. /01 telnet 2.3!4!4!2 54
Tr#ing 2.3!4!4!2!!!
Connected to 2.3!4!4!2!
Escape character is 6706!
TRACE 8 HTTP82!2
Host9 2.3!4!4!2
Here Press E:TER twice;
HTTP82!2 .44 <K
=ate9 'at" 22 >a# .42? 2@9@A9BC D>T
'erer9 Apache8.!.!? %Red Hat(
Connection9 close
Transfer$Encoding9 chunked
Content$T#pe9 message8http
.B
TRACE 8 HTTP82!2
Host9 2.3!4!4!2
4
Connection closed b# foreign host!
To disable TRACE and TRACK HTTP methods on #our Apache$powered webserer" add the following
directies to #our main configuration file 8etc8httpd8conf8httpd!conf
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRCE!TRC"#
RewriteR$%e &' ( )*+
These directies disable the TRACE and TRACK methods ia the following process9
RewriteEngine on E enables Apache+s rewrite module %this directie is not reFuired if alread# present in
#our htaccess file(
RewriteCond %{REQUEST_METHOD} ^(TRCE!TRC"# E targets all TRACE and TRACK reFuest
methods for the following rule
RewriteR$%e &' ( )*+ E return a @4? Gorbidden error response for all matched conditions %i!e!" all TRACE
and TRACK methods(
Hith these rules in place" #our site is protected against one more potential securit# ulnerabilit#
'o add these ? lines as shown below9
, -i. /etc/0tt1d/conf/0tt1d&conf
2Virt$a%Ho3t www&e4a.1%e&co.5
&&&
, di3a6%e TRCE in t0e www&e4a.1%e&co. -irt$a% 0o3t
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRCE!TRC"#
RewriteR$%e &' ( )*+
2/Virt$a%Ho3t5
Sa-e 7 E4it
8ote9
If #ou hae : number of Jirtual Hosts configured" Then #ou need to do the same for all Jirtual Hosts!
.od_rewrite .$3t 6e acti-e for t0e3e directi-e3 to 6e acce1ted&
:ow restart #our apache serice /etc/init&d/0tt1d re3tart
Here is an e*ample on how to check #our webserer if HTTP TRACE is disabled9
,root-cluster. /01 telnet 2.3!4!4!2 54
Tr#ing 2.3!4!4!2!!!
Connected to localhost!localdomain %2.3!4!4!2(!
Escape character is 6706!
TRACE 8 HTTP82!2
Host9 2.3!4!4!2
Here Press E:TER twice;
HTTP82!2 @4? Gorbidden
=ate9 'at" 22 >a# .42? 2B9459BC D>T
'erer9 Apache8.!.!? %Red Hat(
Accept$Ranges9 b#tes
Content$Kength9 ?C5B
Connection9 close
Also erif# the apache access log file9
:efore TRCE di3a6%e9
2.3!4!4!2 $ $ ,228>a#8.42?9439?29@C $43440 LTRCE / HTT;/<&<= >?? ?3 L$L L$L
fter TRCE di3a6%e
2.3!4!4!2 $ $ ,228>a#8.42?94594@9B2 $43440 LTRCE / HTT;/<&<= @?A ?C5B
'o :ow #our site is protected against one more potential securit# ulnerabilit#!!!!!! 9(