Menu

Disabling the TRACE method in Apache2

By default, Apache2 supports the HTTP TRACE method, which could expose your server to certain Cross-Site Scripting attacks. In this tutorial, I will show you how to check for TRACE support on your Apache2 server using curl, and then switch it off if it is enabled.

Testing for TRACE support with curl

$ curl -i -X TRACE http://www.linuxtutorial.net/
HTTP/1.1 200 OK
Date: Wed, 13 Feb 2013 14:22:56 GMT
Server: Apache/2.2.15 (CentOS)
Transfer-Encoding: chunked
Content-Type: message/http

TRACE / HTTP/1.1
User-Agent: curl/7.21.7 (x86_64-redhat-linux-gnu) libcurl/7.21.7 NSS/3.13.3.0 zlib/1.2.5 libidn/1.22 libssh2/1.2.7
Host: www.linuxtutorial.net
Accept: */*
As you can see, I am getting a response from the server for the TRACE request. Now let us disable it.

Disabling TRACE support in Apache2

To switch off TRACE support, you need to open your main Apache2 configuration file which is here on my CentOS box:
nano /etc/httpd/conf/httpd.conf
Now add this directive to that file (I added it to the bottom of the file):
TraceEnable off
...and restart Apache2:
service httpd restart
Now when I run the same curl command again from my client machine, this is the response I get:
$ curl -i -X TRACE http://www.linuxtutorial.net/
HTTP/1.1 405 Method Not Allowed
Date: Wed, 13 Feb 2013 14:30:32 GMT
Server: Apache/2.2.15 (CentOS)
Allow: 
Content-Length: 223
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /.</p>
</body></html>
www.hackthesec.co.in
@hackthesecurity

About Author:


I am a Linux Administrator and Security Expert with this site i can help lot's of people about linux knowladge and as per security expert i also intersted about hacking related news.TwitterFacebook

Next
Newer Post
Previous
Older Post

0 comments:

Post a Comment

 
Top