Testing for HTTP TRACE method
How can I test for HTTP TRACE on my web-server?
I need to train a Tester how to verify that the HTTP TRACE method is disabled.
Ideally I need a script to paste into Firebug to initiate a https connection to return the web server response to a HTTP TRACE command.
Our security Pen Testers identified a HTTP TRACE vulerability and we need to prove that it is fixed.
Simplest way I can think of is using cURL (which is scriptable).
curl -v -X TRACE http://www.yourserver.com
Running it against an Apache server with
TraceEnable Offcorrectly returns
HTTP/1.1 405 Method Not Allowed(just tested on an Apache 2.2.22)
This also works on HTTPS sites, provided that cURL has the correct information supplied to the SSL layer. This is the lazy man's check of Google
curl --insecure -v -X TRACE https://www.google.com/
...it negotiates the connection (does not verify the certificate chain, but that's not the issue here since we want to check on
TRACEstatus), and responds 405:
* Server certificate: * subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com * start date: 2013-02-20 13:34:56 GMT * expire date: 2013-06-07 19:43:27 GMT * subjectAltName: www.google.com matched * issuer: C=US; O=Google Inc; CN=Google Internet Authority * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. > TRACE / HTTP/1.1 > User-Agent: curl/7.25.0 (x86_64-suse-linux-gnu) libcurl/7.25.0 OpenSSL/1.0.1c zlib/1.2.7 libidn/1.25 libssh2/1.4.0 > Host: www.google.com > Accept: */* < HTTP/1.1 405 Method Not Allowed
While probably being the simplest solution over plain HTTP, this doesn't work over HTTPS.
I've tried with Google (trace disabled) and another server (trace enabled) and it seems to work to me. Updating answer...
Thanks everyone for the great answers, but this answer was the most user friendly of the lot.