How to Disable HTTP TRACE/TRACK method for Apache
Security

How to Disable HTTP TRACE/TRACK method for Apache

In this article will discuss about Disabling Apache HTTP TRACE / TRACK Method in Linux Machine.

An HTTP TRACE provides a debugging mechanism by performing a loop-back test along the destination path. As a rule of thumb, if you are running apache and your scanner detects this vulnerability, you can reasonably be sure TRACK.

The remote Web server supports the TRACE and/or TRACK HTTP methods. This simplifies the process for remote attackers to acquire authentication credentials and cookies or bypass the Http only security measure.

In an Apache installation, TRACE is enabled by default. Read latest apache release as well.

Disable http trace method for Apache

IMPACT:

If this vulnerability is successfully exploited, attackers can potentially steal cookies and authentication credentials (or) bypass the HttpOnlyprotection mechanism.

SOLUTION:

Disable these methods in your web server’s configuration file.

How to check HTTP TRACE / TRACK Status

Step1: login into Linux machine and run below command

curl -k -X TRACE http://localhost

Output

[root@C7 /]# curl -k -X TRACE http://localhost
TRACE / HTTP/1.1
User-Agent: curl/7.29.0
Host: localhost
Accept: */*

The output indicates HTTP TRACE / TRACK Methods is in Enabled State.

 

Step2: Disable Track and Trace methods in apache on Linux machine. We need to add an entry in httpd main configuration file

Firstly, check the current status

cat etc/httpd/conf/httpd.conf|grep TraceEnable

As shown in below screenshot from centos machine

verify TraceEnable option in httpd

verify TraceEnable option in httpd.conf file

TraceEnable is not existing in configuration file. Open the httpd configuration file and add an entry as shown below

vi /etc/httpd/conf/httpd.conf
   TraceEnable off

Add the entry at last line of the file, write and quite from the file.

Now check the by using below command

Tracedisable

TraceEnable is off

  • Now restart Apache Server by using below command
systemctl restart httpd

 

Step3: Now check the status of HTTP TRACE / TRACK Methods

curl -k -X TRACE http://localhost

Output:

[root@C7 /]# curl -k -X TRACE http://localhost
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /.</p>
</body></html>

Finally disabled   HTTP TRACE / TRACK Methods on centos machine.

 

Conclusion:

Essentially the same as TRACE, HTTP TRACK was created by Microsoft but was never fully adopted by any software companies except penetration testers, hackers, worms, and vulnerability scanners like Qualys and Tripwire. In next article discussed about deprecated SSH vulnerability.

Disabling Apache HTTP TRACE / TRACK Method has been explained step by step. If you have any questions about Disabling Apache HTTP TRACE / TRACK Method, please leave a comment.

Next PostUnable to Login into vCenter Server with AD credentials Previous PostInstalling NTP Server On Windows Server

Leave a Reply

Your email address will not be published. Required fields are marked *