« Weekend Post: Blog Visit Summary | Main | Ruby Script to Test for TRACE method »

08/02/2008

PowerShell Script to Test for TRACE method 

This article has been superseded by this one. 
No further updates will be made to this article.

UPDATE: This script has been slightly updated to allow you to test for other methods. See here for more details. 

In a previous post, I described an iRule for BigIP that will allow you to disable the TRACE method, which you can attach to your VIPs instead of manually checking your hundreds of servers to verify whether the TRACE method is enabled or disabled.  Most modern web servers, including Apache, IIS 6+, tomcat 5.5+) ship with the TRACE method disabled, however.

I described in another post a theory as to why the PCI scanner keeps flagging your sites as being vulnerable because it is not actually running a TRACE but is executing an OPTIONS method instead and scraping the Response Headers.  You could ask your third-party auditer yourself but they may not know or won't tell you.  This makes verification that the vulnerability has really been remedied up to you.

The following PowerShell script, which was only slightly adapted from the very good book Pro Windows PowerShell published by Apress (so author Hristo Deshev deserves all the credit) will allow you to test to see what happens when executing a TRACE method against your newly irule-protected sites. Executing "./testSiteForTrace.ps1 <url>" will return True if TRACE requests work and False if they fail.  It also has the added bonus of posting the message received from the server when a False is generated.  I do not yet understand why the script returns false when a trailing slash is added to the URL though.  For example, testSiteForTrace.ps1 http://www.apache.org returns True but testSiteForTrace.ps1 http://www.apache.org/returns False. If anyone knows, let me know please.

param ($url)
trap{
Write-Host $_

$request.Abort()

continue
}

$request = [System.Net.WebRequest]::Create($url)
$request.Method = "TRACE"
$request.TimeOut = 5000
if ($request.GetResponse().StatusCode -eq "200"){

$request.GetResponse().Close()
return $true
}

return $false

Running this against one of my sites, I get the following message:
The underlying connection was closed: An unexpected error occurred on a receive. Which is perfect!

Posted by Chris Mahns at 12:00:00 AM in Disable TRACE, powershell, sysadmin, trinkets, weekend post | Permalink | Comments (2) | TrackBack (0)

   

Email This Post! Delicious   Send this page to StumbleUpon   Add to Mixx!   submit to reddit  diigo it

Technorati Tags:

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01156fbc6fe6970c0115722880f9970b

Listed below are links to weblogs that reference PowerShell Script to Test for TRACE method:

Comments

Alibris connects people who love books, music, and movies to thousands of independent sellers around the world. Search over 60 million used & new books, music, & movies to find great deals!



Click here to get Comodo Internet Security Pro at 50% Off

30% off select Xbox games from the Microsoft Store with promo code: CLR-MSFT-Games-30%. Offer valid through March 31st.

Webroot Software Inc.


Follow techstacks on Twitter


Add to favourite links

Add to Google Reader or Homepage

Subscribe in NewsGator Online

Add to netvibes

Subscribe in Bloglines

Subscribe to Blogging Techstacks in Rojo

Add Blogging Techstacks to Pageflakes

Add Blogging Techstacks to fwicki

Spread Firefox Affiliate Button
Add to Technorati Favorites
Find the best blogs at Blogs.com.
Internet Blogs - BlogCatalog Blog Directory
blogging techstacks - Blogged
Twingly BlogRank
Blogs lists and reviews

Tip Jar

For Donations

Tip Jar
Creative Commons Attribution-ShareAlike 3.0 Unported
Powered by WebRing.