Tuesday, 15 August 2017

How to: Disable the HTTP TRACE Method



Most vulnerability scanners will complain about TRACE method being enabled on the web server tested.

Normally you will have this enabled by default, but if you want to test if it is really enabled on your server you just have to telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system. The output of a server with TRACE enabled will look like:

[root@nixguru ~]# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: nixguru
Any text entered here will  be echoed back in the response <- ENTER twice to finish
HTTP/1.1 200 OK
Date: Tue, 15 Aug 2017 10:24:52 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.6.31
Connection: close
Content-Type: text/html; charset=iso-8859-1
TRACE / HTTP/1.0
Host: nixguru
Any text entered here will  be echoed back in the response
Connection closed by foreign host.

Method: 1
Add the below lines somewhere in main apache configuration file outside of any virtual host or directory configuration.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

Method: 2
In apache 2.0.55 or newer we can do very easily because there is a new apache variable that controls if TRACE method is enabled or not. This need to be added in the main apache configuration file and the default is enabled. 
TraceEnable off

Once the above settings are done need to reload apache service and verify the same as below:
[root@nixguru ~]# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: nixguru
Testing.....  <- ENTER twice
HTTP/1.1 403 Forbidden
Date: Tue, 15 Aug 2017 10:24:56 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.6.31
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
On this server.</p>
<hr>
<address> Server: Apache/2.4.6 (CentOS) PHP/5.6.31  Server at nixguru Port 80</address>
</body></html>
Connection closed by foreign host.

No comments:

Post a comment