Disable Apache HTTP TRACE method to improve Apache security

Thursday, 22nd April 2010

I’m doing a security web audit on a server. To get more accurate data about the current Linux powered serversecurity Level.
I’m intending to combine both automated scannings with softwares like Paros Proxy , Nessus , nmap as well as some more modern day web server scanners like:
Nikto . By the last mentioned Nikto is not something brand new, but it’s partly based on a on older web sever scanner called Whisker which nowadays is a depreceated piece of software though for it’s time it was a real buzz.

Anyways the audit I’m into is not the major topic of this post.
During some of the scans with the softwares forementioned I was warned by the security scanners that the HTTP TRACE on the webserver is enabled and this could possibly pose a security threat.
At first I had absolutely no idea what is HTTP TRACE and after some reading online I got it. It’s really simple and let me save you some time in Googling in researching.
What HTTP TRACE is is simply an integrated ECHO like service in the Apache server.
The Nikto web security scanner has identified that the Apache server I was auditing has an enabled HTTP TRACE method and warned that this could pose a security risk on the server.
At first I thought nikto is wrong and it’s reporting a false positive. However after checking out my Apache for HTTP TRACE method I realized the security scanner is right.

I wondered how such a tiny thing as HTTP TRACE could introduce a security threat and after reconsidering the issue I understood that having it enabled on the Webserver could be beneficial for an attacker if he tries to exercise Denial of Service or Distributed Denial of Service on the Apache Webserver.

So having that in mind I should confess the security scanners are right to point the HTTP TRACE as a possible security leak.

Here is an example on how to check your webserver if HTTP TRACE is enabled.

debian-server:~# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: 127.0.0.1
Here Press ENTER twice!

HTTP/1.1 200 OK
Date: Thu, 22 Apr 2010 10:36:58 GMT
Server: Apache
Connection: close
Content-Type: message/http

TRACE / HTTP/1.0
Host: 127.0.0.1

Connection closed by foreign host.

If after the check you receive some HTTP TRACE output which is like the one above, then positively HTTP TRACE is enabled on your Apache and for security reasons it’s best to disable it.

There are two ways to do that:

1. You can either use a mod rewrite rule like the following and put it in your httpd.conf,apache2.conf (on Debian) or as an .htaccess file rules:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

However note that this method is a real performance killer since, each and every request to the server will pass through the mod rewrite rule chain.

2. Or use the TraceEnable off Apache directive which is available on Apache 1.3.34 and on All Apache Servers versions 2.0.55 or higher.
The TraceEnable off Apache directive is also working on Apache 2.2.x including the current stable Debian Apache (2.2.9-10+lenny7).
Take in mind that in my case as I disired to disable the HTTP TRACE on a Debian server putting TraceEnable Off in /etc/apache2/apache2.conf didn’t disabled the HTTP TRACE for the Apache server.

To be able to disable it I had to edit my /etc/apache2/sites-enabled/000-default and put the TraceEnable Off variable in it.

If you want to make sure Apache HTTP TRACE method after using one of the forementioned methods for disabling it.
You should once again execute:

debian-server:~# telnet cadia 80Trying 127.0.0.1...
Connected to cadia.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: 127.0.0.1
Press Enter Twice!

You should then receive a responce from Apache like:

HTTP/1.1 405 Method Not Allowed
Date: Thu, 22 Apr 2010 10:52:09 GMT
Server: Apache
Allow:
Vary: Accept-Encoding
Content-Length: 223
Content-Type: text/html; charset=iso-8859-1

Method Not Allowed

The requested method TRACE is not allowed for the URL

That’s all, now your Apache should be a bit more secure than before!

Share this on:

Download PDFDownload PDF

Tags:

13 Responses to “Disable Apache HTTP TRACE method to improve Apache security”

  1. Chad Cloman says:
    Firefox 3.6.3 Firefox 3.6.3 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)

    In method #1, the rewrite rules will not work if they are put into the .htaccess file. They must go into httpd.conf.

    View CommentView Comment
    • admin says:
      IceWeasel 3.0.14 IceWeasel 3.0.14 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.14) Gecko/2009091008 Iceweasel/3.0.14 (Debian-3.0.14-1)

      Thanks for the note Chad!
      Still, are you sure that the rewrite engine is enabled for the directory where you try to put the rewrite rules?
      It could be also due to difference in Apache version or Linux distrubution. Which versions are you using?

      View CommentView Comment
      • Chad Cloman says:
        Firefox 3.6.3 Firefox 3.6.3 Windows XP Windows XP
        Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)

        I definitely have the rewrite engine enabled, because the same rule works for the TRACK request method. I admit that it could be the version of Apache or the OS, but it’s from my hosting company, and I don’t have access to that information.

        While researching this, I’ve found many accounts of people who implemented the .htaccess rules and found that they didn’t work. I also found several instances where people “in the know” said that the rewrite directives had to go into httpd.conf and that it wouldn’t work in .htaccess.

        View CommentView Comment
  2. admin says:
    IceWeasel 3.0.14 IceWeasel 3.0.14 Debian GNU/Linux x64 Debian GNU/Linux x64
    Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.14) Gecko/2009091008 Iceweasel/3.0.14 (Debian-3.0.14-1)

    I see. OK it’s nice you share, this issue. Hopefully someone else would benefit from it.
    Thanks for your comments.
    Will see you around !

    Best

    View CommentView Comment
  3. admin says:
    IceWeasel 3.0.14 IceWeasel 3.0.14 Debian GNU/Linux x64 Debian GNU/Linux x64
    Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.14) Gecko/2009091008 Iceweasel/3.0.14 (Debian-3.0.14-1)

    By the way I just checked your website. There is pretty cool stuff on it. That Christian Band Servant is quite interesting. I’m glad you’re a Christian too 🙂 You can check my blog christian section if you haven’t checked it yet.

    View CommentView Comment
  4. Jim says:
    IceWeasel 3.5.8 IceWeasel 3.5.8 GNU/Linux GNU/Linux
    Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.6) Gecko/20100203 Iceweasel/3.5.8 (like Firefox/3.5.8)

    On Debian/Lenny there is a file /etc/apache2/conf.d/security that has:

    # Allow TRACE method
    #
    # Set to “extended” to also reflect the request body (only for testing and
    # diagnostic purposes).
    #
    # Set to one of: On | Off | extended
    #
    #TraceEnable Off
    TraceEnable On

    You can simple uncomment the option you want.

    View CommentView Comment
    • admin says:
      Epiphany 2.29.92 Epiphany 2.29.92 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Safari/531.2+ Debian/squeeze/sid () Epiphany/2.29.92

      That’s a good tip thanks a bunch!

      View CommentView Comment
  5. Vikman says:
    Firefox 3.6.16 Firefox 3.6.16 Windows 7 Windows 7
    Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16

    Insertion of the rewrite rule in the .htaccess file worked for me. However, it only seemed to work for the http connection. The trace is still working on the https connection.

    How to disable it for both?

    I am using this site to test: http://web-sniffer.net/

    View CommentView Comment
    • admin says:
      Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

      Check if the mod_rewrite is enabled for https? Also does the https access recognize mod rewrite rules you place in .htaccess?

      View CommentView Comment
      • Vikman says:
        Firefox 3.6.16 Firefox 3.6.16 Windows 7 Windows 7
        Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16

        I don’t have access to the httpd.conf file. It’s a shared hosting setup so I can only modify .htaccess

        I inserted this code into .htaccess:

        RewriteEngine on
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* – [F]

        I then went to this site to test:

        http://web-sniffer.net/

        An http request gave the desired “405 Method Not Allowed” response. An https request did not.

        So, I’m stumped. Is there some way in the .htaccess to explicitly spell out rewrite conditions for https requests? Is that what is needed?

        View CommentView Comment
        • admin says:
          Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
          Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

          Maybe your shared hosting provider has somehow disabled the use of .htaccess rules for the https?
          Can you contact them and ask them if there are some restrictions, this might be a possible cause?

          View CommentView Comment
  6. krankenversicherung says:
    Firefox 3.0.4 Firefox 3.0.4 Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; es-AR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4

    Brillante Angelegenheit. Ich finde es fabelhaft, was ihr alles Aufbaut. Ihr habt einen Fan mehr

    View CommentView Comment

Leave a Reply

CommentLuv badge