Monday, October 19, 2009

telnet - How to trace and disable the HTTP TRACE method in Apache 1.3.33 with FreeBSD

How to trace and disable the HTTP TRACE method in Apache 1.3.33 with FreeBSD

One way to test if TRACE has been disabled is to telnet to port 80 (type the stuff in red):

telnet myserver.com 80
Connected to myserver.com (1.2.3.4).
Escape character is '^]'.
TRACE / HTTP/1.1
host: myserver.com


If a 400 error is printed then you are secured:

HTTP/1.1 403 Forbidden
Date: Tue, 11 Nov 2008 15:26:33 GMT
Server: Apache/2.0.52 (OS Version)
Accept-Ranges: bytes
Content-Length: 3985
Connection: close
...
... html
... html
...


Other commands you might try:


HEAD / HTTP/1.0
host: your_domain.com
((hit enter))

HEAD /index.html HTTP/1.0
host: your_domain.com
((hit enter))

HEAD / HTTP/1.1
host: your_domain.com
((hit enter))

HEAD /index.html HTTP/1.1
host: your_domain.com
((hit enter))

GET / HTTP/1.0
host: your_domain.com
((hit enter))

GET /index.html HTTP/1.0
host: your_domain.com
((hit enter))

GET / HTTP/1.1
host: your_domain.com
((hit enter))

GET /index.html HTTP/1.1
host: your_domain.com
((hit enter))

Connection: Close

I am not exactly the difference between these commands above yet.

No comments: