How to Verify that HTTP TRACE is Disabled

In the past, the TRACE command in the HTTP specification was considered a “safe” command. However, due to the information disclosed combined with other cross-domain exploits, TRACE is no longer considered safe. See US-CERT Vulnerability Note VU#867593 for more information.

I was asked how to verify that the TRACE command (in Apache) is disabled. The easiest way to do this is to use telnet. Launch telnet.

telnet hostname 80
Now, we can issue the TRACE command for a given url.

TRACE /index.html HTTP/1.0
If TRACE is enabled, you will get output that looks something like this:
HTTP/1.1 200 OK Date: Fri, 05 Dec 2008 05:59:45 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.3 with Suhosin-Patch Connection: close Content-Type: message/http


TRACE /index.html HTTP/1.0

Connection closed by foreign host.

Now, if TRACE is disabled, the output will look like this:
HTTP/1.1 405 Method Not Allowed Date: Mon, 08 Dec 2008 21:26:13 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.4 with Suhosin-Patch Allow: Content-Length: 347 Connection: close Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>405 Method Not Allowed</title> </head><body> <h1>Method Not Allowed</h1> <p>The requested method TRACE is not allowed for the URL /index.html.</p> <hr> <address>Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.4 with Suhosin-Patch Server at localhost Port 80</address> </body></html> Connection closed by foreign host.

5 Comments

joe
2009-01-07 - 10:00 am

What if telnet is actively being blocked… is there another way to invoke the TRACE request in an attempt to verify whether the potential vulnerability exists?

plaseadd
2009-01-07 - 10:02 am

This stupid “Pleas add” is not very intuitive. In a sense it is not really stupid at all, but when you page is telling me that I didn’t pass math it is annoying. Spend more time making the site intuitive instead of nebulous. Please add could mean please include. Your welcome for the feedback.

mensming Author
2009-01-08 - 1:37 am

Thanks Joe – I will research a solution to this and respond back…

mensming Author
2009-01-08 - 1:42 am

plaseadd – the functionality you are referring to is a WordPress plugin called “Did You Pass Math”. This plugin is recommended by my hosting provider to prevent blog spam. I will look at disabling it.

If you would like to provide feedback directly to the author of the plugin, it can be found at http://www.herod.net/dypm/

Pingback: MEE SQA Blog » Blog Archive » How to Verify that HTTP TRACE is Disabled - Telnet Disabled

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

How to Verify that HTTP TRACE is Disabled

5 Comments

Leave a Reply Cancel reply

Recent Posts

Recent Comments

Archives

Categories

Meta