WebApp Sec mailing list archives

Re: Technical Note by Amit Klein: "XST Strikes Back"

From: Ivan Ristic <ivan.ristic () gmail com>
Date: Wed, 25 Jan 2006 18:50:10 +0000

2. For Apache, use mod_rewrite to prevent support for TRACE (see
   [1]). Make sure to place the directive in the <proxy> section of
   the httpd.conf file. Also, It would be a good idea to append the
   "[nocase]" flag to the RewriteCond directive, to ensure case
   insensitive comparison (though it seems that Apache will only
   serve fully uppercase HTTP methods).


One minor point: as of 1.3.34, 2.0.55, and 2.2.0 Apache is capable of
disabling TRACE natively via the TraceEnable directive:

http://httpd.apache.org/docs/1.3/mod/core.html#traceenable
http://httpd.apache.org/docs/2.0/mod/core.html#traceenable
http://httpd.apache.org/docs/2.2/mod/core.html#traceenable

--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------------------------
This List Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------

Current thread:

Technical Note by Amit Klein: "XST Strikes Back" Amit Klein (AKsecurity) (Jan 24)
- Re: Technical Note by Amit Klein: "XST Strikes Back" Ivan Ristic (Jan 26)