Menu

Friday 10 July 2020

Disable HTTP TRACE / TRACK / OPTIONS/DELETE Method.

  • A local or remote unprivileged user may be able to abuse the HTTP TRACE/TRACK functionality to gain access to sensitive information in HTTP headers when making HTTP requests.
  • For, Apache / IBM HTTP Server: add below parameters bewteen <virtualhost :443> tag  <virtualhost/> for PORT 80 & 443.

****************************************************
LoadModule rewrite_module modules/mod_rewrite.so

TraceEnable Off

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .$ - [F,L]

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .$ - [F,L]

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^PUT
RewriteRule .$ - [F,L]

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .$ - [F,L]

****************************************************

To check use below test cases,:  If you are getting 405 Method Not Allowed, then its work.

  • curl -i -X OPTIONS http://ipAddressOrHostName:port
  • curl -X TRACE localhost

Output:
***********
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /.</p>
</body>
</html>
***********


Thanks 😊

No comments:

Post a Comment