How to disable the HTTP TRACE /TRACK method to remove this Website Vulnerabilities for IIS/Apache

The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. The HTTP TRACE method, as described in RFC 2516 of the HTTP 1.1 standard, is used for debugging and network analysis purposes. When enabled, a remote attacker could leverage this functionality with known cross-site scripting and other Web browser vulnerabilities, to obtain sensitive information about the Web server, including server cookies and authentication information. The attacker could then use this information to launch further attacks against the affected Web server
Who is Participating?
Julian MatzJoint ChairpersonCommented:
I presume you have the latest stable release of Apache, in which case you should be able to use the following in your httpd.conf to turn this off:

TraceEnable off

Also, you might be interested in the Apache module, mod_security:
Brijeshk9Author Commented:
and what to do with IIS 5 & 6.........?
Julian MatzJoint ChairpersonCommented:
You might find this interesting for IIS 4 and higer:
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Brijeshk9Author Commented:
can anyone helpl me to provide the excat steps we need to perform on it in IIS/Apache..!
Julian MatzJoint ChairpersonCommented:

For Apache:

1. Open up your Apache configuration.

2. Add following lines:

 RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]

3. Save your configuration file.

4. Restart Apache.

For IIS:

 1. Download the Setup.exe file for UrlScan 2.5.
(Link: )

2. Double-click the Setup.exe icon.

3. Review the agreement in the UrlScan Installer Package End User Agreement and then click Yes to accept the agreement and continue. If you click No, the installer will close.

4. When the installer completes, the following message is displayed: "UrlScan has been successfully installed." Click OK to close the installer.

Note: according to US Detp. of Homeland Security, IIS 6 does not seem to be subject to the vulnerability.
Brijeshk9Author Commented:
Thanks ,I  have installed the url scan 2.5 on my server(win 2k),is that enough or I need to do more with this url scan on my server running iis 5 to disable HTTP TRACE /TRACK method .
Brijeshk9Author Commented:
as per the url shared by you i got:one line in urlscan.ini ie:
UseAllowVerbs=1   ; if 1, use [AllowVerbs] section, else use [DenyVerbs] section,so here i need to change the value form 1 to 0 or i need to replace this UseAllowVerbs with UseDenyVerbs...?
Julian MatzJoint ChairpersonCommented:
Set UseAllowVerbs to 1 and define your HTTP methods in AllowVerbs (UseAllowVerbs=1)

You should define the following methods:


All other methods including TRACK will be denied using this configuration.
Julian MatzJoint ChairpersonCommented:
When UseAllowVerbs is set to 1, DenyVerbs will be ignored and any methods not defined in AllowVerbs will automatically get rejected.

On the other hand, if you want to ONLY deny the TRACK method, then you could set UseAllowVerbs to 0 and put TRACK into DenyVerbs. Using this configuration, all methods defined in AllowVerbs will be ignored.
Brijeshk9Author Commented:
Ok,i have chnaged the value ofUseAllowVerbs to 0 and i have some values given there in DenyVerbs
Please correct me if i have given the wrong entry for TRCE/TRACK.
UseAllowVerbs=0                ; if 1, use [AllowVerbs] section, else use [DenyVerbs] section
UseAllowExtensions=0           ; if 1, use [AllowExtensions] section, else use [DenyExtensions] section
NormalizeUrlBeforeScan=1       ; if 1, canonicalize URL before processing
VerifyNormalization=1          ; if 1, canonicalize URL twice and reject request if a change occurs
AllowHighBitCharacters=0       ; if 1, allow high bit (ie. UTF8 or MBCS) characters in URL
AllowDotInPath=0               ; if 1, allow dots that are not file extensions
RemoveServerHeader=0           ; if 1, remove "Server" header from response
EnableLogging=1                ; if 1, log UrlScan activity
PerProcessLogging=0            ; if 1, the UrlScan.log filename will contain a PID (ie. UrlScan.123.log)
AllowLateScanning=0            ; if 1, then UrlScan will load as a low priority filter.
PerDayLogging=1                ; if 1, UrlScan will produce a new log each day with activity in the form UrlScan.010101.log
RejectResponseUrl=             ; UrlScan will send rejected requests to the URL specified here. Default is /<Rejected-by-UrlScan>
UseFastPathReject=0            ; If 1, then UrlScan will not use the RejectResponseUrl or allow IIS to log the request

; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header

LogLongUrls=0                  ; If 1, then up to 128K per request can be logged.
                               ; If 0, then only 1k is allowed.

; LoggingDirectory can be used to specify the directory where the
; log file will be created.  This value should be the absolute path
; (ie. c:\some\path).  If not specified, then UrlScan will create
; the log in the same directory where the UrlScan.dll file is located.



; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.



; The verbs (aka HTTP methods) listed here are used for publishing
; content to an IIS server via WebDAV.
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.
Julian MatzJoint ChairpersonCommented:
That looks ok to me, but I would set UseAllowVerbs to '1' instead of '0' because then UrlScan will ONLY allow GET, HEAD and POST and deny everything else, including what you have in your [DenyVerbs] list.
Brijeshk9Author Commented:
but that is already configured in my IIS 5,and i am getting this tarck/tarce problem...!
Julian MatzJoint ChairpersonCommented:
Use the configuration you have posted above


TRACK/TRACE should then get blocked.
Brijeshk9Author Commented:
ok,Thanks,let me try it..!
Brijeshk9Author Commented:
yes its working now,now I want to put a page/URL for all the rejected requests by URL scan: "/<Rejected-By-UrlScan>"
can we do it..!
Brijeshk9Author Commented:
any suggestion...!
Brijeshk9Author Commented:
Thank you

I'm using Tomcat 5.5.23 and I'm not able to fine httpd.conf file. Please help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.