Sie sind auf Seite 1von 4

How to disable HTTP Trace & Track methods?

The TRACE and TRACK protocols are HTTP methods used in the debugging of webserver connections.
Although these methods are useful for legitimate purposes, they may compromise the security of your
server by enabling cross-site scripting attacks (XST). By exploiting certain browser vulnerabilities, an
attacker may manipulate the TRACE and TRACK methods to intercept your visitors sensitive data. The
solution for this is to disable these methods on your webserver.
By default this method is enabled in Apache.
Verification
Here is an example on how to check your webserver if HTTP TRACE is enabled.
[root@cluster2 ~]# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: 127.0.0.1
Here Press ENTER twice!
HTTP/1.1 200 OK
Date: Sat, 11 May 2013 14:46:59 GMT
Server: Apache/2.2.3 (Red Hat)
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http
25
TRACE / HTTP/1.1
Host: 127.0.0.1
0
Connection closed by foreign host.

To disable TRACE and TRACK HTTP methods on your Apache-powered webserver, add the following
directives to your main configuration file /etc/httpd/conf/httpd.conf
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
These directives disable the TRACE and TRACK methods via the following process:
RewriteEngine on enables Apaches rewrite module (this directive is not required if already present in
your htaccess file)
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) targets all TRACE and TRACK request
methods for the following rule
RewriteRule .* - [F] return a 403 Forbidden error response for all matched conditions (i.e., all TRACE
and TRACK methods)
With these rules in place, your site is protected against one more potential security vulnerability
So add these 3 lines as shown below:
# vim /etc/httpd/conf/httpd.conf

<VirtualHost www.example.com>
...
# disable TRACE in the www.example.com virtual host
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</VirtualHost>
Save & Exit

Note:
If you have N number of Virtual Hosts configured, Then you need to do the same for all Virtual Hosts.
mod_rewrite must be active for these directives to be accepted.

Now restart your apache service /etc/init.d/httpd restart


Here is an example on how to check your webserver if HTTP TRACE is disabled:
[root@cluster2 ~]# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
TRACE / HTTP/1.1
Host: 127.0.0.1
Here Press ENTER twice!
HTTP/1.1 403 Forbidden
Date: Sat, 11 May 2013 15:08:59 GMT
Server: Apache/2.2.3 (Red Hat)
Accept-Ranges: bytes
Content-Length: 3985
Connection: close

Also verify the apache access log file:


Before TRACE disable:
127.0.0.1 - - [11/May/2013:07:31:49 -0700] "TRACE / HTTP/1.1" 200 37 "-" "-"
After TRACE disable
127.0.0.1 - - [11/May/2013:08:04:51 -0700] "TRACE / HTTP/1.1" 403 3985
So Now your site is protected against one more potential security vulnerability...... :)