Thursday, July 28, 2011

To verify if TRACE is enabled/disabled for Apache Webserver

After TRACE has been disabled according to the instructions mentioned in my thread, a TRACE request will be responded to with HTTP status code 403 (FORBIDDEN).

Using telnet to verify the configuration for a non-SSL web server port
The telnet command provided with most operating systems can be used to verify that the configuration changes to disable TRACE have been made. Note that telnet can only be used to test non-SSL ports, since it does not have the capability to perform the SSL handshake or to encrypt the data.

$ telnet 127.0.0.1 8080
Trying...
Connected to 127.0.0.1.
Escape character is '^]'.
TRACE / HTTP/1.0
A: b
C: d
Host: foo

HTTP/1.1 403 Forbidden
Date: Mon, 04 Oct 2004 14:23:31 GMT
Server: IBM_HTTP_SERVER
Connection: close
Content-Type: text/html; charset=iso-8859-1

Forbidden

You don't have permission to access /
on this server.

Connection closed.

The information sent by the client is no longer echoed, and the request fails with HTTP status code 403.

If the response to the TRACE request continues to result in a response with status code 200, verify that the required directives were added to all containers and the main scope of the configuration file, and also verify that the web server has been restarted to activate the updated configuration.

No comments:

Post a Comment