如何禁用 HTTP TRACE/TRACK
短信预约 -IT技能 免费直播动态提醒
HTTP TRACE/TRACK 漏洞问题
最近项目被安全稽核,发现有如下问题:
【问题】远端WWW服务支持TRACE请求。RFC 2616介绍了TRACE请求,该请求典型地用于测试HTTP协议实现。攻击者利用TRACE请求,结合其它浏览器端漏洞,有可能进行跨站脚本攻击,获取敏感信息,比如cookie中的认证信息,这些敏感信息将被用于其它类型的攻击。
1、发现问题
模拟确认: 指令 curl -v -X TRACE localhost:port
# 到服务器上面输入下面的命令[root@dlp logs]$ curl -v -X TRACE localhost:8089* About to connect() to localhost port 8089 (#0)* Trying ::1...* Connected to localhost (::1) port 8089 (#0)> TRACE / HTTP/1.1> User-Agent: curl/7.29.0> Host: localhost:8089> Accept: **User-Agent: curl/7.29.0Host: localhost:8089* Connection #0 to host localhost left intact响应返回 200 ,即代表存在高危漏洞!
如果回显为,如下所示,则该漏洞不存在。
< HTTP/1.1 403 Forbidden< Content-Type: text/html; charset=iso-8859-1或者回显为< HTTP/1.1 405 Method Not Allowed< Content-Type: text/html; charset=iso-8859-1显然,我们服务 8089 应该存在高危漏洞。
2、解决问题
如何解决?
由于我们应用是 spring-boot 内嵌 undertow 服务器, 那么就需要添加配置项,直接附上代码:
package com.example.demo.autoconfigure;import io.undertow.server.HandlerWrapper;import io.undertow.server.HttpHandler;import io.undertow.server.handlers.DisallowedMethodsHandler;import io.undertow.util.HttpString;import org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory;import org.springframework.boot.web.server.WebServerFactoryCustomizer;import org.springframework.context.annotation.Configuration;@Configurationpublic class UndertowWebServerCustomizerConfig implements WebServerFactoryCustomizer<UndertowServletWebServerFactory> { @Override public void customize(UndertowServletWebServerFactory factory) { factory.addDeploymentInfoCustomizers(deploymentInfo -> { deploymentInfo.addInitialHandlerChainWrapper(new HandlerWrapper() { @Override public HttpHandler wrap(HttpHandler handler) { HttpString[] disallowedHttpMethods = {HttpString.tryFromString("TRACE"),HttpString.tryFromString("TRACK")}; return new DisallowedMethodsHandler(handler, disallowedHttpMethods); } }); }); }}写好配置类之后:
- 在resources/META-INF/spring.factories中设置自动配置类。
org.springframework.boot.autoconfigure.EnableAutoConfiguration=\com.example.demo.autoconfigure.UndertowWebServerCustomizerConfig- 也可以注解方式,启动app类扫码该包路径即可;
3、拓展
3.1、对于spring boot内嵌tomcat:
配置TomcatConfig.java
1 import org.apache.catalina.Context; 2 import org.apache.tomcat.util.descriptor.web.SecurityCollection; 3 import org.apache.tomcat.util.descriptor.web.SecurityConstraint; 4 import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory; 5 import org.springframework.boot.context.embedded.tomcat.TomcatContextCustomizer; 6 import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory; 7 import org.springframework.context.annotation.Bean; 8 import org.springframework.context.annotation.Configuration; 9 10 @Configuration11 public class TomcatConfig {12 13 @Bean14 public EmbeddedServletContainerFactory servletContainer() {15 TomcatEmbeddedServletContainerFactory tomcatServletContainerFactory = new TomcatEmbeddedServletContainerFactory();16 tomcatServletContainerFactory.addContextCustomizers(new TomcatContextCustomizer(){17 @Override18 public void customize(Context context) {19 SecurityConstraint securityConstraint = new SecurityConstraint();20 securityConstraint.setUserConstraint("CONFIDENTIAL"); 21 SecurityCollection collection = new SecurityCollection();22 23 collection.addPattern("/*"); 24 collection.addMethod("HEAD"); 25 collection.addMethod("PUT"); 26 collection.addMethod("DELETE"); 27 collection.addMethod("OPTIONS"); 28 collection.addMethod("TRACE"); 29 collection.addMethod("COPY"); 30 collection.addMethod("SEARCH"); 31 collection.addMethod("PROPFIND"); 32 securityConstraint .addCollection(collection); 33 context.addConstraint(securityConstraint ); 34 }35 });36 37 //禁用TRACE请求38 tomcatServletContainerFactory.addConnectorCustomizers(connector -> {39 connector.setAllowTrace(true);40 });41 return tomcatServletContainerFactory;42 }43 }引入方式同上!
3.2、 对于非内嵌式Jetty:
在jetty.xml中增加配置:
1 <security-constraint>2 <web-resource-collection>3 <web-resource-name>NoTraceweb-resource-name>4 <url-pattern>/*url-pattern>5 <http-method>TRACEhttp-method>6 web-resource-collection>7 <auth-constraint>auth-constraint>8 security-constraint>3.3、对于非内嵌tomcat:
直接修改tomcat根目录conf目录下的web.xml,
在文件末尾(之前)添加如下代码:
<security-constraint><web-resource-collection><url-pattern>/*url-pattern><http-method>PUThttp-method><http-method>DELETEhttp-method><http-method>HEADhttp-method><http-method>OPTIONShttp-method><http-method>TRACEhttp-method>web-resource-collection><auth-constraint>auth-constraint>security-constraint><login-config><auth-method>BASICauth-method>login-config>注:在tomcat的在server.xml中先允许TRACE请求,再在web.xml中禁用TRACE,以此禁用TRACE请求.<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" allowTrace="true" redirectPort="8443" />3.4、对于apache:
对于2.0.55以上版本的apache服务器,
在httpd.conf尾部添加如下指令后重启apache即可:
TraceEnable off
来源地址:https://blog.csdn.net/hawinlolo/article/details/127776465
免责声明:
① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的,并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据,供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。
② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341
