HOWTO: Disable Trace/Track in Your BigIP LTM
Introduction
Disabling Trace and Track on web sites that are managed by a BigIP for PCI-related vulnerabilities like Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability is done by writing iRules.
Validation Steps
If you web server is listening on port 80, by far the easiest (and universal) way to determine whether it is vulnerable or not is using telnet. Simply open up your telnet application and connect to your web site/web server over port 80, ( telnet <hostname> <port>). If you are using the Microsoft telnet client, be careful because it doesn't echo back what you were typing in. Once you connect, type the following:
TRACE / HTTP/1.0
Host: <hostname_you_are_testing>
TestA: Hello
TestB: World
Press enter twice and if trace is enabled, you should see output similar to the following:
HTTP/1.1 200 OK
Server: Apache
Date: Tue, 04 Aug 2009 20:17:15 GMT
Content-Type: message/http
Content-Length: 76
TRACE / HTTP/1.0
Host: <hostname_you_are_testing>
TestA: Hello
TestB: World
Request and Response over telnet for the HTTP TRACK method is identical, for testing purposes, as it is for TRACE. Simply subsitute TRACK for TRACE. If you need to test a host that is listening on ssl port 443 (and does not have an HTTP port exposed), use openssl's s_client. Simply type " openssl s_client -connect <hostname:sslport> ". You will connect and then you can enter the above request the same as you would for telnet.
If you use Perl, I did put a script together called 'test4trac', which will test a site to see if trace and track are allowable. It can be downloaded from my blog's download page and more information is available at the test4trac information page.
Remediation
The easiest way to go about disabling TRACE and TRACK on your BigIP-managed VIPs is by iRule. The following iRule provides an example for disabling TRACE and TRACK methods.
when HTTP_REQUEST {
set default_pool [LB::server pool]
if { [HTTP::method] equals "TRACE" or [HTTP::method] equals "TRACK" or [HTTP::method] equals "OPTIONS" } {
reject
} else {
pool $default_pool
}
}
This irule simply rejects any HTTP request that utilizes the TRACE or TRACK methods. Alternatively, you can respond with a 405-Method Not Allowed status code if you are looking for an HTTP-friendlier response. This just requires one change to the above script, replacing "reject" with an HTTP 405 response and message:
when HTTP_REQUEST {
set default_pool [LB::server pool]
if { [HTTP::method] equals "TRACE" or [HTTP::method] equals "TRACK" or [HTTP::method] equals "OPTIONS" } {
HTTP::respond 405 content "Method Not Allowed" noserver
} else {
pool $default_pool
}
}
