In this article will discuss about Disabling Apache HTTP TRACE / TRACK Method in Linux Machine.
An HTTP TRACE provides a debugging mechanism by performing a loop-back test along the destination path. As a rule of thumb, if you are running apache and your scanner detects this vulnerability, you can reasonably be sure TRACK.
The remote Web server supports the TRACE and/or TRACK HTTP methods. This simplifies the process for remote attackers to acquire authentication credentials and cookies or bypass the Http only security measure.
In an Apache installation, TRACE is enabled by default. Read latest apache release as well.
Disable http trace method for Apache
IMPACT:
If this vulnerability is successfully exploited, attackers can potentially steal cookies and authentication credentials (or) bypass the HttpOnlyprotection mechanism.
SOLUTION:
Disable these methods in your web server’s configuration file.
How to check HTTP TRACE / TRACK Status
Step1: login into Linux machine and run below command
curl -k -X TRACE http://localhost
Output
[root@C7 /]# curl -k -X TRACE http://localhost TRACE / HTTP/1.1 User-Agent: curl/7.29.0 Host: localhost Accept: */*
The output indicates HTTP TRACE / TRACK Methods is in Enabled State.
Step2: Disable Track and Trace methods in apache on Linux machine. We need to add an entry in httpd main configuration file
Firstly, check the current status
cat etc/httpd/conf/httpd.conf|grep TraceEnable
As shown in below screenshot from centos machine
verify TraceEnable option in httpd.conf file
TraceEnable is not existing in configuration file. Open the httpd configuration file and add an entry as shown below
vi /etc/httpd/conf/httpd.conf
TraceEnable off
Add the entry at last line of the file, write and quite from the file.
Now check the by using below command
TraceEnable is off
- Now restart Apache Server by using below command
systemctl restart httpd
Step3: Now check the status of HTTP TRACE / TRACK Methods
curl -k -X TRACE http://localhost
Output:
[root@C7 /]# curl -k -X TRACE http://localhost <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>405 Method Not Allowed</title> </head><body> <h1>Method Not Allowed</h1> <p>The requested method TRACE is not allowed for the URL /.</p> </body></html>
Finally disabled HTTP TRACE / TRACK Methods on centos machine.
Conclusion:
Essentially the same as TRACE, HTTP TRACK was created by Microsoft but was never fully adopted by any software companies except penetration testers, hackers, worms, and vulnerability scanners like Qualys and Tripwire. In next article discussed about deprecated SSH vulnerability.
Disabling Apache HTTP TRACE / TRACK Method has been explained step by step. If you have any questions about Disabling Apache HTTP TRACE / TRACK Method, please leave a comment.