How to disable TRACE method for Apache

Jephe Wu - http://linuxtechres.blogspot.com

Environment: Apache web server
Objective: Disable trace/track method


Steps:
1. How to test to confirm if a website supports trace/track
 a. for port 80

TRACE / HTTP/1.1
 Host: jephe.domain.com
 [CR]
If you see positive response which is 200 code, that means it supports trace. 
If it's 403 Forbidden, it means it doesn't support.
 
or if you don't have telnet, you can use nc command
 
nc jephe.domain.com 80
TRACE / HTTP/1.1
Host: jephe.domain.com 
 
or
telnet server/ipaddr 80
OPTIONS * HTTP/1.0  => capital letter.
 
if you saw 'TRACE' appear in allowed methods, then trace method is allow, although 
you can disable the echo using rewrite rule:

TRACE and OPTIONS

The OPTIONS method can be used by a client to determine which methods are allowed. Even when TRACE is disabled using the mod_rewrite method above, the OPTIONS response will report that TRACE is enabled. However, TRACE will be rejected with a 403 error before it is processed, and the potentially harmful behavior of TRACE — echoing input data to the response — won't be allowed.
 
b. for port 443
openssl s_client -connect jephe.domain.com:443
.....
TRACE / HTTP/1.1
 Host: jephe.domain.com
 [CR]
 
or 
openssl s_client -connect jephe.domain.com:443
....
OPTIONS * HTTP/1.0
[CR]
[CR]
Allow: GET,HEAD,POST,OPTIONS,TRACE 
2. How to disable it?
method 1: TraceEnable off (Available in Apache 1.3.34, 2.0.55 and later), 
put it in httpd.conf main configuration file
 
simpler, more direct, and requires less overhead than using mod_rewrite.

method 2:  mod_rewrite in every virtual host
# Block TRACE/TRACK XSS vector
 RewriteEngine On
 RewriteCond %{REQUEST_METHOD} ^TRAC(E|K)
 RewriteRule .* - [F]
 
3. why we should disable trace method

The HTTP TRACE method asks a web server to echo the contents of the request back to the client for debugging purposes.
the complete request, including HTTP headers, is returned in the entity-body of a TRACE response. Using features that provide client-side HTTP protocol support, such as XMLHTTP ActiveX or XMLDOM scripting objects, a web site can cause browsers to issue TRACE requests. The site can read the TRACE response, including sensitive header information such as cookies or authentication data.
 
4. References
a. Web servers enable HTTP TRACE method by default - http://www.kb.cert.org/vuls/id/867593
b. Secure Apache TRACE Vulnerabilities - http://cobaltfaqs.com/index.php/Secure_Apache_TRACE_Vulnerabilities
c. http://httpd.apache.org/docs/2.2/mod/core.html#traceenable