- A local or remote unprivileged user may be able to abuse the HTTP TRACE/TRACK functionality to gain access to sensitive information in HTTP headers when making HTTP requests.
- For, Apache / IBM HTTP Server: add below parameters bewteen <virtualhost :443> tag <virtualhost/> for PORT 80 & 443.
****************************************************
LoadModule rewrite_module modules/mod_rewrite.so
TraceEnable Off
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .$ - [F,L]
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .$ - [F,L]
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^PUT
RewriteRule .$ - [F,L]
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .$ - [F,L]
****************************************************
To check use below test cases,: If you are getting 405 Method Not Allowed, then its work.
- curl -i -X OPTIONS http://ipAddressOrHostName:port
- curl -X TRACE localhost
Output:
***********
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /.</p>
</body>
</html>
***********
Thanks 😊
No comments:
Post a Comment