TRACE_Method是HTTP(超文本传输)协议定义的一种协议调试方法,该方法会使服务器原样返回任意客户端请求的任何内容。
TRACE和TRACK是用来调试web服务器连接的HTTP方式。支持该方式的服务器存在跨站脚本漏洞,通常在描述各种浏览器缺陷的时候,把"Cross-Site-Tracing"简称为XST。攻击者可以利用此漏洞欺骗合法用户并得到他们的私人信息。
关闭Apache的TRACE请求:
虚拟主机用户可以在.htaccess文件中添加如下代码过滤TRACE请求:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
关闭方法:
服务器用户在主配置文件httpd.conf尾部添加如下指令后重启apache即可:
TraceEnable off
可以直接配置在ServerRoot参数下面
测试方法:
通过telnet到HTTP的某个服务端口,进行测试,如下描述(红色为你要输入的部分)。
关闭前测试会返回200 OK:
[root@web001 ~]$ telnet xxx.xxx.xxx.xxx 80
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx).
Escape character is '^]'.
TRACE / HTTP/1.0
X-Test:abcde
HTTP/1.1 200 OK
Date: Wed, 18 Jul 2012 06:49:19 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_jk/1.2.28
Connection: close
Content-Type: message/http
TRACE / HTTP/1.0
X-Test: abcde
Connection closed by foreign host.
关闭后测试会返回405 Method Not Allowed:
[root@web001 ~]$ telnet xxx.xxx.xxx.xxx 80
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx).
Escape character is '^]'.
TRACE / HTTP/1.0
X-Test:abcde
HTTP/1.1 405 Method Not Allowed
Date: Wed, 18 Jul 2012 06:50:05 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_jk/1.2.28
Allow:
Content-Length: 223
Connection: close
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug