Disable Apache2 HTTP TRACE Method

ID: file-disable-http-trace-method

Severity: high

Author: pussycat0x

Tags: audit,config,file,apache,hardening

Description

The HTTP TRACE method should be disabled to prevent Cross-Site Tracing (XST) attacks.

YAML Source

id: file-disable-http-trace-method

info:
  name: Disable Apache2 HTTP TRACE Method
  author: pussycat0x
  severity: high
  description: |
    The HTTP TRACE method should be disabled to prevent Cross-Site Tracing (XST) attacks.
  remediation: |
    Add 'TraceEnable Off' in the Apache configuration file and restart the service.
  reference:
    - https://httpd.apache.org/docs/2.4/mod/core.html#traceenable
  metadata:
    verified: true
  tags: audit,config,file,apache,hardening

file:
  - extensions:
      - conf

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "<Directory"
          - "<FilesMatch"
        condition: and

      - type: word
        words:
          - "TraceEnable On"
          - "<IfModule mod_core.c>"
        condition: and
        negative: true
# digest: 4a0a004730450221008c842e49c2a92d3ba5eea4686c3825c57fff34411e2aab1055eae3598efbac5e022027fbc59986fc1a022bcd7a05bca6ccef29c069315c23320aa9c52127eedfeff5:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "file/audit/apache/file-disable-http-trace-method.yaml"

View on Github