Testing for HTTP TRACE method

  • How can I test for HTTP TRACE on my web-server?

    I need to train a Tester how to verify that the HTTP TRACE method is disabled.

    Ideally I need a script to paste into Firebug to initiate a https connection to return the web server response to a HTTP TRACE command.


    Our security Pen Testers identified a HTTP TRACE vulerability and we need to prove that it is fixed.


  • LSerni

    LSerni Correct answer

    8 years ago

    Simplest way I can think of is using cURL (which is scriptable).

     curl -v -X TRACE http://www.yourserver.com

    Running it against an Apache server with TraceEnable Off correctly returns HTTP/1.1 405 Method Not Allowed (just tested on an Apache 2.2.22)

    This also works on HTTPS sites, provided that cURL has the correct information supplied to the SSL layer. This is the lazy man's check of Google

    curl --insecure -v -X TRACE https://www.google.com/

    ...it negotiates the connection (does not verify the certificate chain, but that's not the issue here since we want to check on TRACE status), and responds 405:

    * Server certificate:
    *        subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
    *        start date: 2013-02-20 13:34:56 GMT
    *        expire date: 2013-06-07 19:43:27 GMT
    *        subjectAltName: www.google.com matched
    *        issuer: C=US; O=Google Inc; CN=Google Internet Authority
    *        SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
    > TRACE / HTTP/1.1
    > User-Agent: curl/7.25.0 (x86_64-suse-linux-gnu) libcurl/7.25.0 OpenSSL/1.0.1c zlib/1.2.7 libidn/1.25 libssh2/1.4.0
    > Host: www.google.com
    > Accept: */*
    < HTTP/1.1 405 Method Not Allowed

    While probably being the simplest solution over plain HTTP, this doesn't work over HTTPS.

    I've tried with Google (trace disabled) and another server (trace enabled) and it seems to work to me. Updating answer...

    Thanks everyone for the great answers, but this answer was the most user friendly of the lot.

    I was getting **Empty reply from server** when running this remotely. SSHing into the server and doing `curl -v -X TRACE` worked for me.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM