About Me

My photo
Kalyan Kumar Pasupuleti B-Tech(Information Technology). • RedHat Certified Engineer(RHCE) • Directory Services and Authentication Certificate of Expertise(LDAP) • Red Hat SELinux Policy Administration Certificate of Expertise(SELinux) • Network Services Security Certificate of Expertise (Network Services) • RedHat Certified Virtualization Administrator(RHCVA) • Red Hat Certified Security Specialist (RHCSS) Working as Cloud DevOps engineer

Saturday, May 11, 2013

How to disable HTTP Trace & Track methods?

The TRACE and TRACK protocols are HTTP methods used in the debugging of webserver connections.

Although these methods are useful for legitimate purposes, they may compromise the security of your server by enabling cross-site scripting attacks (XST). By exploiting certain browser vulnerabilities, an attacker may manipulate the TRACE and TRACK methods to intercept your visitors’ sensitive data. The solution for this is to disable these methods on your webserver.

By default this method is enabled in Apache.


Verification

Here is an example on how to check your webserver if HTTP TRACE is enabled.

[root@cluster2 ~]# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: 127.0.0.1
Here Press ENTER twice!

HTTP/1.1 200 OK
Date: Sat, 11 May 2013 14:46:59 GMT
Server: Apache/2.2.3 (Red Hat)
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http

25
TRACE / HTTP/1.1
Host: 127.0.0.1


0

Connection closed by foreign host.

























To disable TRACE and TRACK HTTP methods on your Apache-powered webserver, add the following directives to your main configuration file /etc/httpd/conf/httpd.conf


RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

These directives disable the TRACE and TRACK methods via the following process:

RewriteEngine on — enables Apache’s rewrite module (this directive is not required if already present in your htaccess file)

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) — targets all TRACE and TRACK request methods for the following rule

RewriteRule .* - [F] — return a 403 Forbidden error response for all matched conditions (i.e., all TRACE and TRACK methods)

With these rules in place, your site is protected against one more potential security vulnerability

So add these 3 lines as shown below:

# vim /etc/httpd/conf/httpd.conf


<VirtualHost www.example.com>
...
# disable TRACE in the www.example.com virtual host
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</VirtualHost>

Save & Exit











Note:
If you have N number of Virtual Hosts configured, Then you need to do the same for all Virtual Hosts.
mod_rewrite must be active for these directives to be accepted.



Now restart your apache service /etc/init.d/httpd restart

Here is an example on how to check your webserver if HTTP TRACE is disabled:


[root@cluster2 ~]# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
TRACE / HTTP/1.1
Host: 127.0.0.1
Here Press ENTER twice!

HTTP/1.1 403 Forbidden
Date: Sat, 11 May 2013 15:08:59 GMT
Server: Apache/2.2.3 (Red Hat)
Accept-Ranges: bytes
Content-Length: 3985
Connection: close















Also verify the apache access log file:

Before TRACE disable:

127.0.0.1 - - [11/May/2013:07:31:49 -0700] "TRACE / HTTP/1.1" 200 37 "-" "-"

After TRACE disable

127.0.0.1 - - [11/May/2013:08:04:51 -0700] "TRACE / HTTP/1.1" 403 3985

So Now your site is protected against one more potential security vulnerability...... :)