WebApp Sec mailing list archives
Re: Technical Note by Amit Klein: "XST Strikes Back"
From: Ivan Ristic <ivan.ristic () gmail com>
Date: Wed, 25 Jan 2006 18:50:10 +0000
2. For Apache, use mod_rewrite to prevent support for TRACE (see [1]). Make sure to place the directive in the <proxy> section of the httpd.conf file. Also, It would be a good idea to append the "[nocase]" flag to the RewriteCond directive, to ensure case insensitive comparison (though it seems that Apache will only serve fully uppercase HTTP methods).
One minor point: as of 1.3.34, 2.0.55, and 2.2.0 Apache is capable of disabling TRACE natively via the TraceEnable directive: http://httpd.apache.org/docs/1.3/mod/core.html#traceenable http://httpd.apache.org/docs/2.0/mod/core.html#traceenable http://httpd.apache.org/docs/2.2/mod/core.html#traceenable -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org ------------------------------------------------------------------------- This List Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today. https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh --------------------------------------------------------------------------
Current thread:
- Technical Note by Amit Klein: "XST Strikes Back" Amit Klein (AKsecurity) (Jan 24)
- Re: Technical Note by Amit Klein: "XST Strikes Back" Ivan Ristic (Jan 26)