Preventing HTTP TRACE Method Cross Site Scripting Attacks

What is a cross site scripting attack?:

“Cross-site scripting (XSS) is a simple idea at heart: the attacker loads exploitative HTML, including a client-side script, into a web site, typically one which allows public submissions and which does not properly quote HTML tags. Any user of the site who reads the story loads the exploit into their browser. The script uses the client browser’s rights to cause mischief — typically to access information and send it to the attacker.” – LWN.NET

How to prevent the TRACE method using Apache config, insert the following code into each virtual host on the server:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

This rewrites any non encoded HTML chars, etc to ensure this method of attack is not an option for the attacker.



Leave a Reply

Your email address will not be published. Required fields are marked *