TRACE Request: how to disable in IIS5

From: Mike Beste (mbeste@fulcrum.net)
Date: 01/24/03 

From: "Mike Beste" <mbeste@fulcrum.net>
Date: Thu, 23 Jan 2003 16:23:56 -0800

As described in the acticle here:

http://www.extremetech.com/article2/0,3973,841047,00.asp

***********************
summary:

page 1

A flaw in the TRACE request, a rarely used portion of the
HTTP standard akin to a "ping," makes XST possible,
broadening its scope well beyond buggy Web browsers, and
painting a sobering picture: all Web servers have TRACE
switched on by default. The affected servers power the
Web's day-to-day banking transactions and fuel the engines
of e-commerce, as well as more mundane tasks.

Immediately upon receiving the TRACE command, any Web
server will simply echo back what is sent to it. Although
this was originally intended to be a harmless and obscure
function, the HTTP header information bounced back
incorporates sensitive elements such as cookies and
credentials for accessing protected sites. When used in
tandem with scripts, information once deemed totally
secure by network architects is left out in the open.

page 2

WhiteHat has assembled recommendations that go well beyond
patching browsers for domain restriction bypass flaws.
These include suggestions on the server side such as:
disabling the TRACE request on all production and
development Web servers; having vendors update Web server
packages to disable TRACE out of the box; and complete
disclosure by vendors to inform customers how to disabled
TRACE on existing servers.

Microsoft's URL Scan, included in the most recent Service
Pack to IIS, can be used as an effective deterrent to XST,
locking down IIS servers. Still, URL Scan is not the sole
solution--Apache requires a source code modification, and
Netscape's iPlanet must be edited to remove unwanted
request methods

***********************

How do I turn off TRACE? What does the MS URL scan do?

What is an effective manner to avoid this vulnerability?

Thanks,

Mike Beste
Fulcrum Technologies, Inc.
Technet Plus Subscriber

Relevant Pages

  • Re: TRACE Request: how to disable in IIS5
    ... Trace is a HTTP verb (like get and post and etc. ... together from a http request. ... all Web servers have TRACE ...
    (microsoft.public.inetserver.iis.security)
  • RE: How to safely obtain windows hashes remotely
    ... What about using a linux boot disk to grab the SAM or change the local admin password? ... Did you allow Cain to run on the segment you have SQL servers on? ... I'm doing an PenTest/Proof of Concept in my LAN, but to date I'm quite sure everything is OK and Up-to-Date in terms of password hardening and security techniques in place. ... Does anybody knows how to perform a password dump from a WinXP and/or Win2003 box remotely without a trace? ...
    (Security-Basics)
  • RE: Mystery Proccess
    ... I have never realy used SQL profier before, ... >for a statement before it is show in the trace. ... >> I have set up a job on one of my sql servers to inform ... >> out test servers, it is issued using dts designer and ...
    (microsoft.public.sqlserver.server)
  • RE: Mystery Proccess
    ... Start a trace with SQL Profiler. ... You can even specify the minimum duration ... > I have set up a job on one of my sql servers to inform me ...
    (microsoft.public.sqlserver.server)
  • Re: http TRACE option
    ... what is the issue if TRACE option is enabled in web servers? ... If the programmer uses httpOnly for the cookies, they cannot be accessed via Javascript, so a tipical XSS attack would fail stealing document.cookies. ... However, an asyncronous XmlHTTPRequest can be done to the server with a TRACE query, and the results from the server would be the same contents that it received, including the http headers that were sent with the TRACE request. ...
    (Pen-Test)