WebApp Sec mailing list archives

Re: rating TRACE

From: Simon Ward <simon () westpoint ltd uk>
Date: Fri, 14 Nov 2014 12:57:16 +0000

On 2014-11-13 16:13, Seth Art wrote:

If you are lucky, it might be a false positive.  I have seen cases
where OPTIONS tells you that TRACE is supported, but if you try the
TRACE method, you get a 501 Not Implemented.   Worth a try.

For Apache HTTP Server, using the TraceEnable directive it should be 405Method Not allowed. If using rewrite rules to disable it, there's achoice, but the usual would be 403 Forbidden.

If your tester is just relying on the OPTIONS method, please find abetter tester.


Simon



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.

Request Yours Now!http://www.cenzic.com/2009HClaunch_Securityfocus

--------------------------------------

Current thread:

Re: rating TRACE, (continued)
- - - Message not available
    - Re: rating TRACE Robin Wood (Nov 12)
    - RE: rating TRACE Kenneth Kron (Nov 12)
  - Message not available
    - Re: rating TRACE Robin Wood (Nov 12)
- RES: rating TRACE Fábio Soto (Nov 12)
  - Message not available
    - Re: RES: rating TRACE Robin Wood (Nov 13)
    - Re: RES: rating TRACE Martino Dell'Ambrogio (Nov 13)
    - Re: RES: rating TRACE Simon Ward (Nov 14)
    - Message not available
    - Re: RES: rating TRACE Robin Wood (Nov 14)
- Re: rating TRACE Seth Art (Nov 13)
  - Re: rating TRACE Manolis Mavrofidis (Nov 14)
  - Re: rating TRACE Simon Ward (Nov 14)
  - Re: rating TRACE Robin Wood (Nov 14)
- Re: rating TRACE Simon Ward (Nov 14)
  - Re: rating TRACE Simon Ward (Nov 14)