Vulnerability name: Unsafe HTTP methods
- Aliases
- Web server HTTP Trace/Track method support
- Cross-site tracing vulnerability
- Dangerous HTTP methods
- Scope
- Although this is a server configuration issue, the client is at risk here
- Remediation
- Disable TRACE and/or TRACK and/or DEBUG methods
Verification
Using
curl
, one can employ one of the methods by hand:
curl -sIX TRACE $TARGET | awk 'NR==1 {print $2}'
Vulnerable when: the result is 200
One should expect (not vulnerable) 405 (Method Not Allowed) or 501 (Not Implemented) results.
This executes the TRACE method against
$TARGET
, and prints out the HTTP
status code using
awk
. The
-I
parameter fetches the head only,
-s
stands for silent mode, and
-X
specifies the method.
The easiest way to test whether a server is vulnerable is by using the script analyze_hosts.py [1].
This script uses
curl
as well as
nmap
to perform multiple tests.
analyze_hosts.py --trace http://www.target.com
Note
When an OPTIONS method is issued, the webserver should return the supported methods. Some web servers have a habit of replying with methods that are in fact not supported - which does not combine nicely with inferior security scanners (and pentesters, I might add) that relying on the OPTIONS command. Always verify the method itself, and do not rely on the OPTIONS method (and the results of a security scanner).
Explanation
There are a number of official (standards compliant) HTTP methods:
OPTIONS, HEAD, GET, POST, PUT, DELETE, TRACE, CONNECT
An ordinary web server supports the HEAD, GET and POST methods to retrieve static and dynamic content (enabling WebDAV on a web server will add support for the PUT and DELETE methods).
TRACE and TRACK are methods which can be used for debugging purposes. It repeats the content of a request, and an attacker could steal credentials by using a client-side attack.
These HTTP methods should not be supported on public web servers, as they increase the attack surface.
Solution/remediation
Apache
Add the following to your Apache httpd.conf file:
TraceEnable Off
IIS7 and higher
appcmd.exe set config /section:requestfiltering /+verbs.[verb='TRACE',allowed='false']
IIS6
REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters] "EnableTraceMethod"=dword:00000000
IIS5 and lower
Note
Microsoft's IIS 5 supports the non-RFC compliant methode TRACK, which is basically the same as the TRACE method. This should be disabled as well (by installing URLScan)
[1] | https://github.com/PeterMosmans/security-scripts/ |
[2] | https://technet.microsoft.com/en-us/security/cc242650.aspx |
Comments
comments powered by Disqus