Vulnerability name: Unsafe HTTP methods

Aliases
  • Web server HTTP Trace/Track method support
  • Cross-site tracing vulnerability
  • Dangerous HTTP methods
Scope
Although this is a server configuration issue, the client is at risk here
Remediation
Disable TRACE and/or TRACK and/or DEBUG methods

Verification

Using curl , one can employ one of the methods by hand:

curl -sIX TRACE $TARGET | awk 'NR==1 {print $2}'

Vulnerable when: the result is 200

One should expect (not vulnerable) 405 (Method Not Allowed) or 501 (Not Implemented) results.

This executes the TRACE method against $TARGET , and prints out the HTTP status code using awk . The -I parameter fetches the head only, -s stands for silent mode, and -X specifies the method.

The easiest way to test whether a server is vulnerable is by using the script analyze_hosts.py [1].

This script uses curl as well as nmap to perform multiple tests.

analyze_hosts.py --trace http://www.target.com

Note

When an OPTIONS method is issued, the webserver should return the supported methods. Some web servers have a habit of replying with methods that are in fact not supported - which does not combine nicely with inferior security scanners (and pentesters, I might add) that relying on the OPTIONS command. Always verify the method itself, and do not rely on the OPTIONS method (and the results of a security scanner).

Explanation

There are a number of official (standards compliant) HTTP methods:

OPTIONS, HEAD, GET, POST, PUT, DELETE, TRACE, CONNECT

An ordinary web server supports the HEAD, GET and POST methods to retrieve static and dynamic content (enabling WebDAV on a web server will add support for the PUT and DELETE methods).

TRACE and TRACK are methods which can be used for debugging purposes. It repeats the content of a request, and an attacker could steal credentials by using a client-side attack.

These HTTP methods should not be supported on public web servers, as they increase the attack surface.

Solution/remediation

Apache

Add the following to your Apache httpd.conf file:

TraceEnable Off

IIS7 and higher

appcmd.exe set config /section:requestfiltering /+verbs.[verb='TRACE',allowed='false']

IIS6

REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters] "EnableTraceMethod"=dword:00000000

IIS5 and lower

Install URLscan [2]

Note

Microsoft's IIS 5 supports the non-RFC compliant methode TRACK, which is basically the same as the TRACE method. This should be disabled as well (by installing URLScan)

[1]https://github.com/PeterMosmans/security-scripts/
[2]https://technet.microsoft.com/en-us/security/cc242650.aspx

Comments

comments powered by Disqus