Apache Hardening Tutorial: Disable HTTP Trace / Cross Site Method
What is HTTP Trace ? Apache Hardening Tutorial
This article is part of the Apache Hardening and Securing tutorial series. This time we will be taking a look on HTTP Trace find how to check if you are vulnerable and how to fix it.
Apache Hardening Tutorial Series:
1- Secure Apache Web Server - Use SSLScan and Disable Ciphers:
https://goo.gl/mb7pYz
2- Apache Secure Tutorial: Hide HTTP Header and Disable Directory Listing:
https://goo.gl/VqcLrG
3- Apache Hardening Tutorial: Disable HTTP Trace / Cross Site Method
https://goo.gl/KJnbDS
If your webserver has the HTTP Trace enabled this going to put it into a risk of Cross-Site Tracing and use of Cross-site Scripting (XSS).
TRACE: This method simply echoes back to the client whatever string has been sent to the server, and is used mainly for debugging purposes.
The TRACE method, while it looks fine, it can be used in some scenarios to steal customers' credentials. It allows the client to see what is being received at the other end of the request.
This attack method was first discovered in 2003.
Find if your Web-server is Vulnerable
To check if the trace is enabled by default or not disabled you can use curl for that.
-k To perform insecure connection.
-X Use specified proxy
curl -k -X TRACE https://ip.ip.ip.ip/
If the HTTP Trace is enabled you will be getting something similar to below output and means that you are vulnerable to cross site tracing.
TRACE /phpinfo.php HTTP/1.1
User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: ip.ip.ip.ip
Accept: /
Disable HTTP Trace and Secure your Web-server
vi /etc/httpd/conf/httpd.conf
Add
TraceEnable Off
Save
service httpd restart
After disabling HTTP Trace try the curl command to check the status
Watch video Apache Hardening Tutorial: Disable HTTP Trace / Cross Site Method online without registration, duration hours minute second in high quality. This video was added by user dotsway 20 June 2017, don't forget to share it with your friends and acquaintances, it has been viewed on our site 17,23 once and liked it 15 people.