Testing for HTTP TRACE method
Simplest way I can think of is using cURL (which is scriptable).
curl -v -X TRACE http://www.yourserver.com
Running it against an Apache server with TraceEnable Off
correctly returns HTTP/1.1 405 Method Not Allowed
(just tested on an Apache 2.2.22)
This also works on HTTPS sites, provided that cURL has the correct information supplied to the SSL layer. This is the lazy man's check of Google
curl --insecure -v -X TRACE https://www.google.com/
...it negotiates the connection (does not verify the certificate chain, but that's not the issue here since we want to check on TRACE
status), and responds 405:
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
* start date: 2013-02-20 13:34:56 GMT
* expire date: 2013-06-07 19:43:27 GMT
* subjectAltName: www.google.com matched
* issuer: C=US; O=Google Inc; CN=Google Internet Authority
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> TRACE / HTTP/1.1
> User-Agent: curl/7.25.0 (x86_64-suse-linux-gnu) libcurl/7.25.0 OpenSSL/1.0.1c zlib/1.2.7 libidn/1.25 libssh2/1.4.0
> Host: www.google.com
> Accept: */*
< HTTP/1.1 405 Method Not Allowed
There are two ways:
STEP 1: openssl s_client -connect example.com:443
STEP2 :
TRACE / HTTP/1.1
host: example.com
(press enter twice)
or
OPTIONS / HTTP/1.1
host: example.com
(press enter twice) (you might need to paste these rapidly so copy paste them rather by typing out) STEP 3: Verify if the output, it should give error 400 if I'm not mistaking.
Another tool you can use is gnutls.
You could use a proxy, like Burp Suite or Zap, and follow some simple steps:
- set up your browser to pass through the chosen proxy;
- make a normal HTTP request (e.g.
GET /index.php HTTP/1.1
) and intercept it; - change the HTTP method to TRACE and send the request to the server;
- check the HTTP response.
If the response includes the whole request, then TRACE is enabled and working properly.