Tuesday, June 16, 2015

Disable HTTP TRACE / TRACK Methods

This is the most frequent vulnerability which scanners will complain about TRACE method being enabled on the web server tested. When the debuging function is enabled on web servers. TRACE and TRACK methods can be executed. Normally you will have this enabled by default, but if you want to test if it is really enabled on your server you just have to telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system.

To see if TRACE is supported by your server, you can use curl

$ curl -i -X TRACE http://www.example.com


To disable these methods below steps can be followed.

Apache Server:
The complex mechanism involves creating a mod_rewrite rule that will disable http methods, which is also quite popular and works with ANY version of apache that supports mod_rewrite.  The directives below would need to be set, which are written assuming that this is the first time use for mod_rewrite.

The first thing to do is make sure that mod_rewrite is loaded.  If mod_rewrite.so is missing from your apache configuration but you have it installed, (and your install location is /usr/local/apache), then add the following statement to your httpd.conf:

LoadModule  rewrite_module  "/usr/local/apache/modules/mod_rewrite.so"

Then add the following as well to your httpd.conf file:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]


Please note that by default, rewrite configurations are not inherited across virtual servers. Add RewriteEngine On to each virtual host.. Restart apache, re-run the steps in the Validation section, and with either method, you should receive an HTTP 405-Method Not Allowed status code back.

For newer versions (1.3.34 or later for the legacy branch, and 2.0.55 or later).

Simplest option is to add the TraceEnable directive into your httpd.conf and set the value to Off. Or else if httpd.conf is not available, Set "TraceEnable off" in /etc/apache2/apache2.conf or (if it is in Debian version) in /etc/apache2/sites-enabled/000-default

Finally restart the apache server.

IIS 6 Server:

The only supported mechanism in place for remediation is by installing URLScan from Microsoft, (version 2.5 and version 3.1 are still available).  The urlscan.ini file included as part of URLScan sets by default a configuration setting "UseAllowVerbs=1".  In the [AllowVerbs] section of the ini file, http methods GET, HEAD, and POST are the only ones listed, so simply by installing URLScan, you are protected from TRACE or TRACK.

II7 Server:

Refer the article http://www.iis.net/configreference/system.webserver/security/requestfiltering/verbs. This provides a detailed description.
 
Sun GlassFish Enterprise Server:
If you are using GlassFish v2, you need to set the property "traceEnabled" to "true" or "false" under .
Here is the reference documentation that lists out all the property name for http-service. http://docs.sun.com/app/docs/doc/820-4338/abhcq?a=view

If you are using V3, Using Admin Console:
Expand Configuration -> Network Config -> Network Listeners
Click the listener name that you want to configure.
You can then change the Trace-Enabled checkbox under the HTTP Tab.

Using CLI
You need to find out the name of the protocol that your listener is using. The following example shows you how to get the current setting and change it to false. By default, Trace is enabled. You need the protocol name, the example below says "http-listener-1" only because the Name of the protocol is "http-listener-1".

$./asadmin get configs.config.server-config.network-config.protocols.protocol.http-listener-1.http.trace-enabled
configs.config.server-config.network-config.protocols.protocol.http-listener-1.http.trace-enabled=true

Command get executed successfully.

$./asadmin set configs.config.server-config.network-config.protocols.protocol.http-listener-1.http.trace-enabled=false
configs.config.server-config.network-config.protocols.protocol.http-listener-1.http.trace-enabled=false


Command set executed successfully.

Alternative Option ot disable TRACE/TRACK on Sun Servers
Change the obj.conf file in the config directory of the web server instance (i.e. not the admin-server config directory) and add the "If" below.


AuthTrans fn="set-variable" error="501"

AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
NameTrans fn="ntrans-j2ee" name="j2ee"


Reference:
[1] https://www.java.net/node/699168
[2] http://www.techstacks.com/howto/disable-tracetrack-in-apache-httpd.html

0 comments: