disable http trace method in apache

How to Disable HTTP TRACE Method in Apache

HTTP TRACK and TRACE methods support cross-site scripting and can expose your website vulnerabilities to malicious attackers and bots. It allows hackers to run their script on your web server without your knowledge. So it is important to disable HTTP TRACE and TRACK methods on your website. In this article, we will look at how to disable HTTP TRACE methods in Apache server. HTTP TRACK method is a Microsoft creation which is mainly used by testers, hackers, worms and not widely used. When we disable HTTP TRACE method, it will also disable HTTP TRACK method in Apache.


How to Disable HTTP TRACE Method in Apache

Here are the steps to disable HTTP TRACE method in Apache.


1. Enable mod_rewrite (.htaccess)

Here are the steps to enable mod_rewrite (.htaccess) according to your Linux system.

Ubuntu/Debian

Open terminal and run the following command to enable mod_rewrite.

$ sudo a2enmod rewrite


Redhat/CentOS/Fedora

Open Apache configuration file in a text editor.

$ sudo vi /etc/apache2/httpd.conf
OR
$ sudo vi /etc/httpd/httpd.conf

Look for the following line.

#LoadModule rewrite_module modules/mod_rewrite.so

Uncomment it by removing # at its beginning. If you don’t find this line, add it afresh.

Also look for the following Directory tag and change AllowOverride from None to All.

. . .
<Directory /var/www/html>
. . .
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride All
. . .
</Directory>
. . .


2. Open .htaccess file

Open terminal and run the following command to open .htaccess file.

$ sudo vi /var/www/html/.htaccess

Add the following lines to it.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Save and close the file. The above code will return a 405 Method Not Allowed response when it receives TRACE/TRACK requests.


3. Restart Apache Server

Run the following command to test Apache server configuration.

$ /usr/sbin/apachectl -t
Syntax OK

Restart Apache server to apply changes.

$ sudo service apache2 restart


4. Validation

Connect to your server using telnet. Type the following. For localhost, replace hostname_you_are_testing with 127.0.0.1 or localhost.

TRACE / HTTP/1.0
Host: <hostname_you_are_testing>
TestA: Hello
TestB: World

If TRACK/TRACE is still enabled you will see the following kind of output. Otherwise you will see HTTP/1.1 405 OK in the first line of response, since your server will return 405 response code.

HTTP/1.1 200 OK
Server: Apache
Date: Tue, 04 Aug 2021 20:17:15 GMT
Content-Type: message/http
Content-Length: 76
    
TRACE / HTTP/1.0
Host: <hostname_you_are_testing>
TestA: Hello
TestB: World

That’s it. In this article, we have learnt how to disable HTTP TRACE/TRACK methods on your Apache server. This issue is easy to fix but has been around since quite a long time. Although it is considered a low risk vulnerability, it is commonly found on many networks. It is very important to disable them since it allows attackers to easily run their script on your website, without your permission or knowledge thereby making your website vulnerable.

Also read:

How to Switch User in Ubuntu Linux
How to Bring Background Process to Foreground
LS file size in kb, Mb
How to Get User Input in Shell Script
Shell Script to Get CPU Utilization and Memory Usage

Leave a Reply

Your email address will not be published.