Web Server TRACE Enabled

Virtue Security found web servers with the TRACE and TRACK verbs enabled. These verbs are used for debugging purposes, but under some circumstances can be used to create Cross-site Scripting (XSS) vulnerabilities. Although this scenario is generally not exploitable with modern web browsers, it is still recommended these methods be disabled.

Below shows the TRACE method enabled:

$ nc 10.0.0.25 80  
TRACE /<script>alert('xss')</script> HTTP/1.0

HTTP/1.1 200 OK 
[..] 
TRACE /<script>alert('xss')</script> HTTP/1.0

For more information on this attack, please reference the following URL: https://www.owasp.org/index.php/Cross_Site_Tracing

Remediation

The HTTP TRACE and TRACK methods have no use in production environments and can be safely disabled.

Disabling TRACE in Apache

For the following versions: 1.3.34 and up, 2.0.55 and up, 2.2., and 2.4.**

TRACE can be disabled in httpd.conf with the TraceEnable directive. This directive should be set to ‘off ‘ as shown below:

TraceEnable off

Disabling TRACE in APACHE prior to 1.3.34 and 2.0.55

Versions of Apache that do not support the TraceEnable directive should use rewrite rules to disable TRACE. Below shows an example rule:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Disabling TRACE in IIS

TRACE can be disabled in IIS with the UrlScan extension. In the UrlScan.ini configuration file ensure that TRACE exists in the DenyVerbs directive. For more information on UrlScan please reference the following URL: http://www.iis.net/downloads/microsoft/urlscan