The TRACE method is enabled by default in an apache/httpd
installation. This could expose server to certain Cross-Site Scripting attacks.
There are two methods directive and rewrite rule to disable the TRACE method.
In this tutorial, we will show how to check for TRACE support on Apache2/httpd
server using curl, and then disable if it is enabled.
To check the TRACE status enable/disable use curl
command as below:
[root@linuxcnf
~]# curl -i -X TRACE http://192.168.43.106/
HTTP/1.1
200 OK
Date:
Fri, 25 Aug 2017 23:25:12 GMT
Server:
Apache/2.4.6 (CentOS)
Transfer-Encoding:
chunked
Content-Type:
message/http
TRACE
/ HTTP/1.1
User-Agent:
curl/7.29.0
Host:
192.168.43.106
Accept:
*/*
|
As
per above output, we are getting a response from the server for the TRACE
request. We can disable it by following below two methods:
Method
– 1:
if Apache 1.3.34, 2.0.55, or anything in
the 2.2 release, we can add the TraceEnable directive into “/etc/httpd/conf/httpd.conf” in
global section and set the value to off.
[root@linuxcnf
~]# vi /etc/httpd/conf/httpd.conf
|
Now
add this directive to the global section:
TraceEnable
off
|
Save
and close the file and restart apache/httpd service:
[root@linuxcnf
~]# service httpd restart
|
Now check the TRACE status again using curl command and
you will get 405 method not allowed:
[root@linuxcnf
~]# curl -i -X TRACE http://192.168.43.106/
HTTP/1.1
405 Method Not Allowed
Date:
Fri, 25 Aug 2017 23:27:22 GMT
Server:
Apache/2.4.6 (CentOS)
Allow:
Content-Length:
223
Content-Type:
text/html; charset=iso-8859-1
<!DOCTYPE
HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405
Method Not Allowed</title>
</head><body>
<h1>Method
Not Allowed</h1>
<p>The
requested method TRACE is not allowed for the URL /.</p>
</body></html>
|
Method
– 2:
To achive this using apache plug-in modules, in addition to disabling
the TRACE method,
add these RewriteRule directives which are used to disable TRACE, which is
also works with any version of apache/httpd that supports mod_rewrite. The
directives below would need to be set in apache/httpd configuration file as
below:
First, make sure that
mod_rewrite is loaded. If mod_rewrite module is missing in apache/httpd configuration
then install if not installed and add the following line to load mod_rewrite
module in apache/httpd configuration file:
[root@linuxcnf
~]# vi /etc/httpd/conf/httpd.conf
|
LoadModule
rewrite_module /usr/lib64/httpd/modules/mod_rewrite.so "
|
Then
add the following lines as well to httpd.conf file:
[root@linuxcnf
~]# vi /etc/httpd/conf/httpd.conf
|
RewriteEngine
On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] |
Now
check the TRACE status again using curl command and you will get 403 Forbidden:
[root@linuxcnf
~]# curl -i -X TRACE http://192.168.43.106/
HTTP/1.1
403 Forbidden
Date:
Sat, 26 Aug 2017 02:14:59 GMT
Server:
Apache/2.4.6 (CentOS)
Last-Modified:
Thu, 16 Oct 2014 13:20:58 GMT
ETag:
"1321-5058a1e728280"
Accept-Ranges:
bytes
Content-Length:
4897
Content-Type:
text/html; charset=UTF-8
|
PN: - By default, rewrite rule configurations
are not inherited across virtual hosts. Do the same steps for configuration and
validation for all the virtual hosts as well.
No comments:
Post a Comment