Saturday, 26 August 2017

How to disable Trace/Track in Apache/httpd



The TRACE method is enabled by default in an apache/httpd installation. This could expose server to certain Cross-Site Scripting attacks.  There are two methods directive and rewrite rule to disable the TRACE method. In this tutorial, we will show how to check for TRACE support on Apache2/httpd server using curl, and then disable if it is enabled.


To check the TRACE status enable/disable use curl command as below:

[root@linuxcnf ~]# curl -i -X TRACE http://192.168.43.106/
HTTP/1.1 200 OK
Date: Fri, 25 Aug 2017 23:25:12 GMT
Server: Apache/2.4.6 (CentOS)
Transfer-Encoding: chunked
Content-Type: message/http

TRACE / HTTP/1.1
User-Agent: curl/7.29.0
Host: 192.168.43.106
Accept: */*

As per above output, we are getting a response from the server for the TRACE request. We can disable it by following below two methods:

Method – 1:  if Apache 1.3.34, 2.0.55, or anything in the 2.2 release, we can add the TraceEnable directive into “/etc/httpd/conf/httpd.conf” in global section and set the value to off.

[root@linuxcnf ~]# vi /etc/httpd/conf/httpd.conf

Now add this directive to the global section:

TraceEnable off

Save and close the file and restart apache/httpd service:

[root@linuxcnf ~]# service httpd restart

Now check the TRACE status again using curl command and you will get 405 method not allowed:

[root@linuxcnf ~]# curl -i -X TRACE http://192.168.43.106/
HTTP/1.1 405 Method Not Allowed
Date: Fri, 25 Aug 2017 23:27:22 GMT
Server: Apache/2.4.6 (CentOS)
Allow:
Content-Length: 223
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /.</p>
</body></html>

Method – 2:  To achive this using apache plug-in modules, in addition to disabling the TRACE method, add these RewriteRule directives which are used to disable TRACE, which is also works with any version of apache/httpd that supports mod_rewrite. The directives below would need to be set in apache/httpd configuration file as below:

First, make sure that mod_rewrite is loaded.  If mod_rewrite module is missing in apache/httpd configuration then install if not installed and add the following line to load mod_rewrite module in apache/httpd configuration file:

[root@linuxcnf ~]# vi /etc/httpd/conf/httpd.conf

LoadModule  rewrite_module  /usr/lib64/httpd/modules/mod_rewrite.so "
Then add the following lines as well to httpd.conf file:
[root@linuxcnf ~]# vi /etc/httpd/conf/httpd.conf

RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]

Now check the TRACE status again using curl command and you will get 403 Forbidden:

[root@linuxcnf ~]# curl -i -X TRACE http://192.168.43.106/
HTTP/1.1 403 Forbidden
Date: Sat, 26 Aug 2017 02:14:59 GMT
Server: Apache/2.4.6 (CentOS)
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8

PN: - By default, rewrite rule configurations are not inherited across virtual hosts. Do the same steps for configuration and validation for all the virtual hosts as well.


No comments:

Post a comment