Cross Site Scripting Attack - Apache/IHS



Cross Site Scripting (XSS) protection can be bypassed in many browsers. You can apply this protection for a web application if it was disabled by the user. This is used by a majority of giant web companies like Facebook, Twitter, Google, etc.


  • Go to $Web_Server/conf directory
  • Open httpd.conf using vi and add following Header directive

Header set X-XSS-Protection  “1;  mode=block

  • Restart Apache

b) Disable Trace HTTP Request

By default Trace method is enabled in Apache web server.

Having this enabled can allow Cross Site Tracing attack and potentially giving an option to a hacker to steal cookie information. Let’s see how it looks like in default configuration.

  • Do a telnet web server IP with listening port
  • Make a TRACE request as shown below



#telnet localhost 80


Connected to localhost.

Escape character is '^]'.

TRACE / HTTP/1.1 Host: test

HTTP/1.1 200 OK

Date: Sat, 31 Aug 2013 02:13:24 GMT

Server: Apache

Transfer-Encoding: chunked

Content-Type: message/http 20


Host: test


Connection closed by foreign host.#



  • Go to $Web_Server/conf directory
  • Add the following directive and save the httpd.conf

TraceEnable off

  • Restart apache.