Apache Hardening Tutorial: Disable HTTP Trace / Cross Site Method

Description

What is HTTP Trace ? Apache Hardening Tutorial

This article is part of the Apache Hardening and Securing tutorial series. This time we will be taking a look on HTTP Trace find how to check if you are vulnerable and how to fix it.


Apache Hardening Tutorial Series:

1- Secure Apache Web Server - Use SSLScan and Disable Ciphers:
https://goo.gl/mb7pYz


2- Apache Secure Tutorial: Hide HTTP Header and Disable Directory Listing:
https://goo.gl/VqcLrG


3- Apache Hardening Tutorial: Disable HTTP Trace / Cross Site Method
https://goo.gl/KJnbDS



If your webserver has the HTTP Trace enabled this going to put it into a risk of Cross-Site Tracing and use of Cross-site Scripting (XSS).

TRACE: This method simply echoes back to the client whatever string has been sent to the server, and is used mainly for debugging purposes.

The TRACE method, while it looks fine, it can be used in some scenarios to steal customers' credentials. It allows the client to see what is being received at the other end of the request.

This attack method was first discovered in 2003.

Find if your Web-server is Vulnerable

To check if the trace is enabled by default or not disabled you can use curl for that.
-k To perform insecure connection.

-X Use specified proxy

curl -k -X TRACE https://ip.ip.ip.ip/

If the HTTP Trace is enabled you will be getting something similar to below output and means that you are vulnerable to cross site tracing.

TRACE /phpinfo.php HTTP/1.1
User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: ip.ip.ip.ip
Accept: */*

Disable HTTP Trace and Secure your Web-server

vi /etc/httpd/conf/httpd.conf

Add

TraceEnable Off

Save

service httpd restart

After disabling HTTP Trace try the curl command to check the status
Comments
Aniket Dumbre
It's disabled on our server.
212 days ago
 

Upcoming Events

Upcoming Birthdays

Please login to see colleague birthdays

Work Anniversaries

Please login to see colleague birthdays

Who's Online

2 users online