Cross Site Scripting Attack - Apache/IHS

Updated on:

Overview

 

Cross Site Scripting (XSS) protection can be bypassed in many browsers. You can apply this protection for a web application if it was disabled by the user. This is used by a majority of giant web companies like Facebook, Twitter, Google, etc.

Solution

  • Go to $Web_Server/conf directory
  • Open httpd.conf using vi and add following Header directive

Header set X-XSS-Protection  “1;  mode=block

  • Restart Apache

b) Disable Trace HTTP Request

By default Trace method is enabled in Apache web server.

Having this enabled can allow Cross Site Tracing attack and potentially giving an option to a hacker to steal cookie information. Let’s see how it looks like in default configuration.

  • Do a telnet web server IP with listening port
  • Make a TRACE request as shown below

 

 

#telnet localhost 80

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

TRACE / HTTP/1.1 Host: test

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2013 02:13:24 GMT

Server: Apache

Transfer-Encoding: chunked

Content-Type: message/http 20

TRACE / HTTP/1.1

Host: test

0

Connection closed by foreign host.#

 

Solution

  • Go to $Web_Server/conf directory
  • Add the following directive and save the httpd.conf

TraceEnable off

  • Restart apache.

More from Middleware Inventory

  • Disable WebServer Banner Apache/IHS

    Overview Don’t display or send Apache version (Set ServerTokens) By default, the server HTTP response header will contains apache and php version. Something similar to the following. This is harmful, as we don’t want an attacker to know about the specific version number. Apache can reveal information by default configuration,…

  • Apache Webserver Basic Authentication using htpasswd - How to

    Overview To Secure the Apache  Virtualhost (or) a particular document root /directory.  We can use this Basic Auth mechanism. When the user is trying to access the resource from the directory. User will be prompted  for Authentication.   Step1 Create a Password file with username and password entry using htpasswd  tool. Available…

  • How to integrate weblogic and apache web server - Steps

    Weblogic and Apache Webserver integration To Integrate Weblogic Application server with Apache Webserver, We have to install weblogic plugin on the Apache HTTP Server. Plugins for Apache will be available on Oracle (or) you can find them in your weblogic installed location under " ServerRoot/server/plugins" Under plugins directory of weblogic server…

  • Docker HTTPD
    Docker Reverse Proxy - Docker httpd apache example

    Introduction: In this post, we are going to see how to use docker httpd image and extend it to suit our needs and run the Apache web server as a Docker container. We are also going to implement a docker reverse proxy as an additional example Since we have targeted…

  • Remote Denial of Service Attack in IIS 6/7

    Overview CVE-2007-2897 Microsoft Internet Information Services (IIS) 6.0 allows remote attackers to cause a denial of service (server instability or device hang), and possibly obtain sensitive information (device communication traffic); and might allow attackers with physical access to execute arbitrary code after connecting a data stream to a device COM…