This is the main page for Test4Trac, an HTTP Trace and an HTTP Track method testing script, written in Perl. test4trac.pl grew out of additional features that were built into cryptonark, so if you want a tool that will test for trace and track and will also test SSL ciphers, use CryptoNark. This tool turned out to be useful enough to run as a standalone tester, however, which is why it was released as a separate download.
The main purpose of this script is to automate execution of HTTP TRACE and HTTP TRACK requests against a web site. A common PCI vulnerability that crops up from time to time on scans is the "Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability". Remediation steps vary per web server platform but with normal change management guidelines, verification of a change is typically required. test4trac.pl can be used to perform that verification. It can also, obviously, be used in order to test whether the vulnerability listed exists, is a false positive, or does not exist.
Usage is fairly simple. Execute ./test4trac.pl to get a list of parameters (or simply execute './test4trac.pl <host> <port>').
Remediation HOWTO Documents
I have published a few remediation documents if you need assistance in disabling Trace and/or Track. They are located on the HOWTO mini-site. Direct links are provided below as well.
- HOWTO: Disable Trace/Track in IIS
- HOWTO: Disable Trace/Track in Apache HTTPD
- HOWTO: Disable Trace/Track in Your BigIP LTM
You can download the current version from the Downloads page.