How to Verify that HTTP TRACE is Disabled
In the past, the TRACE command in the HTTP specification was considered a “safe” command. However, due to the information disclosed combined with other cross-domain exploits, TRACE is no longer considered safe. See US-CERT Vulnerability Note VU#867593 for more information.
I was asked how to verify that the TRACE command (in Apache) is disabled. The easiest way to do this is to use telnet. Launch telnet.
telnet hostname 80
Now, we can issue the TRACE command for a given url.
TRACE /index.html HTTP/1.0
If TRACE is enabled, you will get output that looks something like this:
HTTP/1.1 200 OK
Date: Fri, 05 Dec 2008 05:59:45 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.3 with Suhosin-Patch
Connection: close
Content-Type: message/http
TRACE /index.html HTTP/1.0
Connection closed by foreign host.
Now, if TRACE is disabled, the output will look like this:
HTTP/1.1 405 Method Not Allowed
Date: Mon, 08 Dec 2008 21:26:13 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.4 with Suhosin-Patch
Allow:
Content-Length: 347
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /index.html.</p>
<hr>
<address>Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.4 with Suhosin-Patch Server at localhost Port 80</address>
</body></html>
Connection closed by foreign host.
5 Comments
What if telnet is actively being blocked… is there another way to invoke the TRACE request in an attempt to verify whether the potential vulnerability exists?
This stupid “Pleas add” is not very intuitive. In a sense it is not really stupid at all, but when you page is telling me that I didn’t pass math it is annoying. Spend more time making the site intuitive instead of nebulous. Please add could mean please include. Your welcome for the feedback.
Thanks Joe – I will research a solution to this and respond back…
plaseadd – the functionality you are referring to is a WordPress plugin called “Did You Pass Math”. This plugin is recommended by my hosting provider to prevent blog spam. I will look at disabling it.
If you would like to provide feedback directly to the author of the plugin, it can be found at http://www.herod.net/dypm/