TRACE works as designed! Panic! Run for the hills!

WhiteHat Security, perhaps in an attempt to make themselves appear important, or, perhaps because they really thought it was true, released a security alert a few days ago. You can read it HERE (http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt)

In summary, here it is.

HTTP provides a TRACE method, for debugging purposes. When you send a TRACE request, you get it back, including the message body, headers, etc.

WhiteHat’s security alert said that when you send a TRACE request, you get it back, including the message body, headers, etc.

Pretty scary, huh?

So, basically, they are saying what the rest of us have known since 1992. After all, it is in the HTTP specification, and you have read that, right?

Apparently, they think that you should not be able to get at information that you just sent to the server. It is secret or something.

And they provide a variety of scary JavaScript examples that allow you to intercept your own request, and send that request to some third-party site. Now, this is actually where they say that the vulnerability lies. They seem to think that this is the fault of the TRACE command. The fact of the matter is that the client has always had access to this data. Perhaps – just perhaps – this could be construed as a flaw in JavaScript – that you could possibly gain access to cookies, or auth information, and send it to some other site. But that is possible via other means which are not quite so tortuous.

So, folks, if you are in a panic about TRACE, you might want to read http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=104333761011676&w=2 which talks about it a little more scientifically than I have, and explains why it is a bunch of hogwash. You can feel free to disable TRACE on your Apache server if you really want to, but it won’t gain you anything other than a false sense of security.