Web Application Security
rating TRACE Nov 12 2014 04:19PM
Robin Wood (robin digi ninja) (3 replies)
Re: rating TRACE Nov 14 2014 01:41PM
Simon Ward (simon westpoint ltd uk)
Re: rating TRACE Nov 13 2014 04:13PM
Seth Art (sethsec gmail com) (3 replies)
Re: rating TRACE Nov 14 2014 04:45PM
Manolis Mavrofidis (mmavrofides gmail com)
Re: rating TRACE Nov 14 2014 12:57PM
Simon Ward (simon westpoint ltd uk)
On 2014-11-13 16:13, Seth Art wrote:
> If you are lucky, it might be a false positive. I have seen cases
> where OPTIONS tells you that TRACE is supported, but if you try the
> TRACE method, you get a 501 Not Implemented. Worth a try.

For Apache HTTP Server, using the TraceEnable directive it should be 405
Method Not allowed. If using rewrite rules to disable it, there's a
choice, but the usual would be 403 Forbidden.

If your tester is just relying on the OPTIONS method, please find a
better tester.

Simon

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: rating TRACE Nov 14 2014 08:48AM
Robin Wood (robin digi ninja)
RES: rating TRACE Nov 12 2014 11:33PM
Fábio Soto (fabio andradesoto com br)


 

Privacy Statement
Copyright 2010, SecurityFocus