Apache Hardening Tutorial: Disable HTTP Trace / Cross Site Method


What is HTTP Trace ? Apache Hardening Tutorial

This article is part of the Apache Hardening and Securing tutorial series. This time we will be taking a look on HTTP Trace find how to check if you are vulnerable and how to fix it.

Apache Hardening Tutorial Series:

1- Secure Apache Web Server - Use SSLScan and Disable Ciphers:

2- Apache Secure Tutorial: Hide HTTP Header and Disable Directory Listing:

3- Apache Hardening Tutorial: Disable HTTP Trace / Cross Site Method

If your webserver has the HTTP Trace enabled this going to put it into a risk of Cross-Site Tracing and use of Cross-site Scripting (XSS).

TRACE: This method simply echoes back to the client whatever string has been sent to the server, and is used mainly for debugging purposes.

The TRACE method, while it looks fine, it can be used in some scenarios to steal customers' credentials. It allows the client to see what is being received at the other end of the request.

This attack method was first discovered in 2003.

Find if your Web-server is Vulnerable

To check if the trace is enabled by default or not disabled you can use curl for that.
-k To perform insecure connection.

-X Use specified proxy

curl -k -X TRACE https://ip.ip.ip.ip/

If the HTTP Trace is enabled you will be getting something similar to below output and means that you are vulnerable to cross site tracing.

TRACE /phpinfo.php HTTP/1.1
User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: ip.ip.ip.ip
Accept: */*

Disable HTTP Trace and Secure your Web-server

vi /etc/httpd/conf/httpd.conf


TraceEnable Off


service httpd restart

After disabling HTTP Trace try the curl command to check the status
Aniket Dumbre
It's disabled on our server.
675 days ago

Upcoming Events

No events found.

Upcoming Birthdays

Please login to see colleague birthdays

Work Anniversaries

Please login to see colleague birthdays

Who's Online