Disabling Trace method (IIS/Apache)

The HTTP Trace method is generally used for debugging to invoke a remote application-layer loopback of the a request message. To use this method, a client can see what is being recieved at the other end of the request chain, test, and debug information, so an attacker can steal some information including cookies, and back-end server address, and also possibly website credentials.

[Checking method]



[Disabling method]

* IIS

- to use URLSCAN tool to deny HTTP Trace requests or to permit only some using methods to meet site policy.

- or, to check the following registry key on IIS 6.0.

Registry Path : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
Key Value : EnableTraceMethod
Data Type : Reg_dword
Default Value : 0 (disabled)
(http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/d779ee4e-5cd1-4159-b098-66c10c5a3314.mspx?mfr=true)

* Apache

- to use Apache mod_rewrite module to deny HTTP TRACE requests or to permit some using methods to meet site policy. In short, to add several mod_rewrite directives to the web server configuration file, at main scope as well as in everycontainer. Here is an example:

In the httpd.conf file,

#disable Trace in the main
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

Before setting this configuration file, mod_rewrite must be active for these directives to be accepted.

해외에 취약점 수정 레포트를 작성하다가 보면, 취약점에 대한 설명 및 이에 대한 수정 권고사항을 영작해서 보내게 되는데, 작성을 위해서 영작 및 정리한 내용을 블로그에 올려놓는다.