Checking if TRACE is enabled

Written by adam on Thu, 05/31/2007 - 13:48

Hacker Safe and ControlScan are two companies that prey on the naive. They cost over $1000/yr to get a little logo to show up on your site that says you're safe from the hackers. Such a joke. They also make outrageous claims like this one from Hacker Safe:
Hacker Safe is stupid

One of the tests they perform is to check if TRACE is enabled on your http server. According to HackerSafe and ControlScan, this is a CRITICAL error.

telnet www.somedomain.com 80 
TRACE / HTTP/1.1
Host: www.somedomain.com
TRACE: yes

(Hint: enter twice after you put in the Host: line)

Lets see if www.apple.com is susceptible to hackers:

$ telnet www.apple.com 80
Trying 17.149.160.10...
Connected to www.apple.com.akadns.net.
Escape character is '^]'.
OPTIONS / HTTP/1.1
Host: www.apple.com

TRACE / HTTP/1.1
Connection: keep-alive
Host: www.apple.com
TRACE: yes
Via: 1.0 eg-netcache04 (NetCache NetApp/6.0.4P1D6)
X-Forwarded-For: 17.112.153.72
x-user-addr: 17.112.154.48

The same variable: "TRACE: yes" was reported back to us from apple. This means trace is enabled.

adam's blog
to post comments

Main menu

You are here

User login

Checking if TRACE is enabled