WebApp Sec mailing list archives
Re: rating TRACE
From: Simon Ward <simon () westpoint ltd uk>
Date: Fri, 14 Nov 2014 12:57:16 +0000
On 2014-11-13 16:13, Seth Art wrote:
If you are lucky, it might be a false positive. I have seen cases where OPTIONS tells you that TRACE is supported, but if you try the TRACE method, you get a 501 Not Implemented. Worth a try.
For Apache HTTP Server, using the TraceEnable directive it should be 405 Method Not allowed. If using rewrite rules to disable it, there's a choice, but the usual would be 403 Forbidden.
If your tester is just relying on the OPTIONS method, please find a better tester.
Simon This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE.Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Current thread:
- Re: rating TRACE, (continued)
- Message not available
- Re: rating TRACE Robin Wood (Nov 12)
- RE: rating TRACE Kenneth Kron (Nov 12)
- Message not available
- Re: rating TRACE Robin Wood (Nov 12)
- Message not available
- Re: RES: rating TRACE Robin Wood (Nov 13)
- Re: RES: rating TRACE Martino Dell'Ambrogio (Nov 13)
- Re: RES: rating TRACE Simon Ward (Nov 14)
- Message not available
- Re: RES: rating TRACE Robin Wood (Nov 14)
- Re: rating TRACE Manolis Mavrofidis (Nov 14)
- Re: rating TRACE Simon Ward (Nov 14)
- Re: rating TRACE Robin Wood (Nov 14)
- Re: rating TRACE Simon Ward (Nov 14)