Web Server

How to Disable HTTP TRACE Method for Apache, IIS, sunOne, and Lotus Domino

The HTTP TRACE method is normally used to return the full HTTP request back to the requesting client for proxy-debugging purposes. An attacker can create a webpage using XMLHTTP, ActiveX, or XMLDOM to cause a client to issue a TRACE request and capture the client’s cookies. This effectively results in a Cross-Site Scripting attack. In this post, I will be explaining how to disable HTTP trace method for Apache, IIS, SunOne, and Lotus Domino.

Disable HTTP TRACE Method for Apache
Newer versions of Apache (1.3.34 and 2.0.55 and later) provide a configuration directive called TraceEnable.

To deny TRACE requests, add the following line to the server configuration:
TraceEnable off

For older versions of the Apache webserver, use the mod_rewrite module to deny the TRACE requests:
RewriteEngine On
RewriteRule .* - [F]

Disable HTTP TRACE Method for Microsoft IIS
For Microsoft Internet Information Services (IIS), you may use the URLScan tool, freely available at this link.

Disable HTTP TRACE Method for SunONE/iPlanet
For Sun ONE/iPlanet Web Server v6.0 SP2 and later, add the following configuration to the top of the default object in the ‘obj.conf’ file:

< Client method="TRACE" >
AuthTrans fn="set-variable"
set-headers="content-length: -1"
< /Client >

Disable HTTP TRACE Method for Domino
Follow IBM’s instructions for disabling HTTP methods on the Domino server by adding the following line to the server’s NOTES.INI file:
After saving NOTES.INI, restart the Notes web server by issuing the console command "tell http restart"

Following the steps above should help disable HTTP trace methods and it should not be captured during penetration testing on your servers.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x