Apache Hardening Tutorial: Disable HTTP Trace / Cross Site Method

preview_player
Показать описание
What is HTTP Trace ? Apache Hardening Tutorial

This article is part of the Apache Hardening and Securing tutorial series. This time we will be taking a look on HTTP Trace find how to check if you are vulnerable and how to fix it.

Apache Hardening Tutorial Series:

1- Secure Apache Web Server - Use SSLScan and Disable Ciphers:

2- Apache Secure Tutorial: Hide HTTP Header and Disable Directory Listing:

3- Apache Hardening Tutorial: Disable HTTP Trace / Cross Site Method

If your webserver has the HTTP Trace enabled this going to put it into a risk of Cross-Site Tracing and use of Cross-site Scripting (XSS).

TRACE: This method simply echoes back to the client whatever string has been sent to the server, and is used mainly for debugging purposes.

The TRACE method, while it looks fine, it can be used in some scenarios to steal customers' credentials. It allows the client to see what is being received at the other end of the request.

This attack method was first discovered in 2003.

Find if your Web-server is Vulnerable

To check if the trace is enabled by default or not disabled you can use curl for that.
-k To perform insecure connection.

-X Use specified proxy

If the HTTP Trace is enabled you will be getting something similar to below output and means that you are vulnerable to cross site tracing.

User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Accept: */*

Disable HTTP Trace and Secure your Web-server

Add

TraceEnable Off

Save

service httpd restart

After disabling HTTP Trace try the curl command to check the status
  1. dotsway
  2. apache hardening
  3. apache trace
  4. cross site tracing exploit
  5. disable trace method
  6. secure apache cross-site
Рекомендации по теме
Apache Hardening Tutorial: 0:03:05

Apache Hardening Tutorial: Disable HTTP Trace / Cross Site Method

How to Disable 0:02:00

How to Disable Unwanted Modules in Apache http Server Secure and Hardening

Apache Secure Tutorial: 0:04:33

Apache Secure Tutorial: Hide HTTP Header and Disable Directory Listing

How to Disable 0:00:25

How to Disable HTTP Options Methods in Apache

How to Disable 0:01:12

How to Disable Directory Listening in Apache http Server Security Server Hardening

How to Hide 0:03:20

How to Hide Apache httpd Version make apache Secure and Hardening

How to disable 0:00:59

How to disable HTTP OPTIONS method on Apache Webserver

How to disable 0:00:56

How to disable HTTP Trace method on Apache Webserver

Linux Apache http 0:00:51

Linux Apache http Server Security and Hardening Guide Part 1

Apache 2.0 - 0:02:51

Apache 2.0 - Disabling the HTTP TRACE and TRACK methods (2 Solutions!!)

Secure Your Apache 0:09:55

Secure Your Apache Server From Attacker and Hacker Part -1

DevOps & SysAdmins: 0:02:02

DevOps & SysAdmins: Disable HTTP Methods in Apache (3 Solutions!!)

Apache Security - 0:05:28

Apache Security - basic hardening & security for apache web server | Part - 3

Linux Security - 0:23:43

Linux Security - Securing Apache2

How to remove 0:01:24

How to remove “server” information from http-header in Apache 2.4

Apache Security - 0:17:43

Apache Security - basic hardening & security for apache web server | Part - 1

Apache Server Tutorial: 0:01:33

Apache Server Tutorial: Hide HTTP Header And Secure Private Server Info SOLVED

What is the 0:01:24

What is the impact of disabling OPTIONS HTTP method on Apache Servers?

57 Disabling 0:02:43

57 Disabling unnesseccary modules and updating apache service

Secure Apache Web 0:04:57

Secure Apache Web Server - Use SSLScan and Disable Ciphers (SSLv3, TLSv1 ..etc)

How to Disable 0:01:35

How to Disable Unwanted Modules Unnecessary Modules in Apache httpd

How to Disable 0:01:04

How to Disable directory Listing Directory browsing in apache Web Server

Securing and Hardening 0:04:00

Securing and Hardening Apache HTTP Server - Course Overview

How to Create 0:02:03

How to Create Appropriate User and Group for Apache http server for security and hardening

Комментарии
Автор

Thank you very much! I was trying to solve this problem for weeks! Greetings from Argentina.

emanuelcarbone
Автор

Thank you very much!!! It was a simple clear explanation. It helped me a lot!!!

andersoncdz
Автор

Still missing the information how the credentials can be seen by other people. Although knowing how to disable it is nice to know.

cncfreez
Автор

thank you so much, can u please suggest me more on apache web server hardening?

purvashgangolli
Автор

I have one doubt when used curl -- Trace -v url is getting response

NishikantKhillare-le
Автор

Is every web server with TRACE enabled considered insecure? I had this disabled by default, but I was testing other links with the method mentioned in the video and found for example my vps provider's website has this allowed.

mackocour
Автор

How to disable connect method in http proxy servers ??

udhayashankar
Автор

Is this disable the Trace for all httpd ports?

DanielMaion