Tomcat Config Query

Document ID : KB000038628
Last Modified Date : 27/06/2018
Show Technical Document Details
Issue:

The web server running on a number of hosts had the HTTP TRACE method enabled. This method may be used to facilitate various forms of attack. 

The HTTP TRACE method causes the HTTP server to generate a response body containing the data sent to the server by the client. This includes sensitive data such as HTTP cookies sent in request headers. 

This functionality can be used to bypass security controls, such as the 'httpOnly' cookie flag which prevents client-side scripting code from accessing HTTP cookies. By sending a TRACE request to the site, client-side code can read session cookies from the body of the response, potentially raising the impact of cross-site scripting attacks. 

HTTP TRACE is normally used only during testing or debugging, and is unlikely to be required for ongoing site functionality.' 

The recommendation from the pen testers is to disable the trace functionality by adding this to the Tomcat config: 

RewriteEngine on 

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) 

RewriteRule .* - [F] 

Resolution:

For Spectrum Web application, we have disabled 

PUT, DELETE and TRACE Methods in apache. 

<security-constraint xmlns=""> 

<web-resource-collection> 

<web-resource-name>Forbidden</web-resource-name> 

<url-pattern>/*</url-pattern> 

<http-method>PUT</http-method> 

<http-method>DELETE</http-method> 

<http-method>TRACE</http-method> 

</web-resource-collection> 

<auth-constraint /> 

</security-constraint>