Trace Method Is Enabled

About TRACE method

The TRACE capability could be used by vulnerable or malicious applications to trick a web browser into issuing a TRACE request against an arbitrary site and then send the response to the TRACE to a third party using web browser features.


IIS

<httpHandlers>
<add path="*" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
</httpHandlers>
<authorization>
<deny verbs="TRACE" users="*" />
</authorization>


APACHE

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

Flags are set – i.e. [F] for forbidden request, [R] for redirecting the page, likewise. Note: by default, rewrite configurations are not inherited across virtual servers. Add RewriteEngine On to each virtual host.

Still this has the disadvantage that you need to have mod_rewrite enabled on the server just to mention one. But for apache versions newer than 1.3.34 for the legacy branch, and 2.0.55 (or newer) for apache2 this can be done very easily because there is a new apache variable that controls if TRACE method is enabled or not: TraceEnable off


Tomcat

In Apache Tomcat, security is enforced by way of security constraints that are built into the Java Servlet specification. These are not contained within the main server.xml file within tomcat but within the web.xml configuration file.

webapps/theAPP/WEB-INF/web.xml

// Sample Security Constraint
<security-constraint>
<web-resource-collection>
<web-resource-name>
<strong>restricted methods</strong>
</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>