Securing apache : Disabling trace to prevent XSS

Cross- site tracing (XST) is one of the most prevalent threats on the Internet today. An XST (Cross-Site Tracing) attack involves the use of XSS and the HTTP TRACE function. HTTP TRACE is a default function in many web servers, primarily used for debugging. The client sends an HTTP TRACE with all header information including cookies and the server simply responds with that same data. If using Javascript or other methods to steal a cookie or other information , is disabled through the use of an “httpOnly” cookie or otherwise, an attacker may force the browser to send an HTTP TRACE request and send the server response to another site. “httpOnly” is an extra parameter added to cookies which hides the cookie from the script.

One of the best way to stop XSS attacks from fetching victim’s cookies until it was found that Web server HTTP Trace method can be used to bypass HttpOnly security mechanisms. XST attack is the XSS attack using TRACE. If TRACE is enabled on the server it will then echo the information sent within the HTTP request. Now if the victim’s browser happens to have a cookie from the target Web server, or is logged in to the server using the implicit authentication mechanisms, then the victim will be alerted with his current set of cookies.

It is safe if web server’s TRACE is disabled even though it provides an effective security measure. However if there is a proxy server between the client and the web server , it is possible to force the proxy server to respond to the Trace request rather than the origin server itself. To do this attacker include ‘Max-forward : 0” in the http request header. Seeing this the first proxy server responds to the trace request , instead of forwarding it to the web server.


How to disable TRACE in Apache?


To disable trace in Apache we need mod_rewrite module installed and then follow the steps below:

  1. Activate mod_rewrite in httpd.conf by adding the following entry.

LoadModule rewrite_module modules/mod_rewrite.so

  1. Add the following lines in httpd.conf to disable TRACE

RewriteCond %{REQUEST_METHOD} ^TRACE

RewriteRule .* – [F]

  1. Now , restart the Apache Web server.After TRACE has been disabled according to the instructions above, any incoming TRACE requests will be responded with an HTTP status code of either 403 or 405

When Security is the major concern :-


  1. First step to security is disable TRACE request methods on the Web servers.
  2. Disable TRACE in proxy server configurations
  3. Disable TRACE in your browser’s “XmlHttpRequest” object.
  4. Upgrade the browser version at regular intervals.

Leave a Reply