原文链接
http trace方法说明
TRACE和TRACK是用来调试web服务器连接的HTTP方式。
支持该方式的服务器存在跨站脚本漏洞,通常在描述各种浏览器缺陷的时候,把"Cross-Site-Tracing"简称为XST。
攻击者可以利用此漏洞欺骗合法用户并得到他们的私人信息。
解决方案: 禁用这些方式。
Jetty禁用trace方法
非内嵌式Jetty
如果需要完全禁用,可以设置安全约束,即在jetty.xml中增加配置:
<security-constraint>
<web-resource-collection>
<web-resource-name>NoTrace</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint></auth-constraint>
</security-constraint>
Springboot内嵌式Jetty
采用过滤器过滤所有的trace请求:
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@WebFilter(urlPatterns = "/*", filterName = "jettyFilter")
public class JettyFilter implements Filter {
private Logger logger = LoggerFactory.getLogger(JettyFilter.class);
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
logger.info("拦截器执行-----");
if ("TRACE".equalsIgnoreCase(httpRequest.getMethod())) {
httpResponse.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
logger.info("trace 拦截执行");
return;
}
logger.info("拦截器结束-----");
chain.doFilter(request, response);
}
@Override
public void destroy() {
}
}
启动类增加配置如下:
@ServletComponentScan
public class CooperativeApplication {
public static void main(String[] args) {
SpringApplication.run(CooperativeApplication.class, args);
}
}
测试方法
使用curl测试,没有禁用trace的返回内容:
curl -v -X TRACE http://127.0.0.1:8396
* Trying 127.0.0.1:8396...
* Connected to 127.0.0.1 (127.0.0.1) port 8396 (#0)
> TRACE / HTTP/1.1
> Host: 127.0.0.1:8396
> User-Agent: curl/7.77.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: message/http
< Content-Length: 178
< Connection: Keep-alive
< Via: 1.1 ID-0002262070652452 uproxy-8
<
TRACE / HTTP/1.1
User-Agent: curl/7.77.0
Connection: keep-alive
X-Forwarded-For: 10.152.22.244
Host: 127.0.0.1:8396
Accept: */*
Via: 1.1 ID-0002262070652452 uproxy-8
* Connection #0 to host 127.0.0.1 left intact
禁用trace方法之后的返回:
curl -v -X TRACE http://127.0.0.1:8392
* Trying 127.0.0.1:8392...
* Connected to 127.0.0.1 (127.0.0.1) port 8392 (#0)
> TRACE / HTTP/1.1
> Host: 127.0.0.1:8392
> User-Agent: curl/7.77.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 405 Method Not Allowed
< Content-Length: 0
<
* Connection #0 to host 127.0.0.1 left intact
文章评论