SpringBoot内置Tocmat出现Trace请求漏洞

近期使用绿盟扫描工具对 Web 系统进行扫描,出现了检测到目标服务器启用了 TRACE 方法的高级漏洞,TRACE 是 HTTP 协议定义的一种请求方法,该方法会使服务器原样返回任意客户端请求的任何内容,因此可以用来进行跨站点脚本攻击(XSS 攻击),这种攻击方式又称为跨站跟踪攻击(XST)。

绿盟的报告中给出了相应的方案:

  1. 2.0.55 以上版本的 Apache 服务器,可以在httpd.conf的尾部添加:
1
TraceEnable off

2.如果你使用的是 Apache:

  • 确认 rewrite 模块激活(httpd.conf)
1
LoadModule rewrite_module modules/mod_rewrite.so
  • 在各虚拟主机的配置文件里添加如下语句:
1
RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .*

我们的项目是基于 SpringBoot的单机web项目,并没有使用到Apache服务器。查询相关资料,得知在Tomcat的web.xml文件中可以配置HTTP的请求方式,禁止不安全的请求类型:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<security-constraint>  
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>

如果使用的是SpringBoot内置的Tomcat容器的话,可以配置Tomcat的配置类,将配置注入到Spring容器中:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
@Configuration
public class TomcatConfig {
@Bean
public TomcatServletWebServerFactory servletContainer() {
TomcatServletWebServerFactory tomcatServletContainerFactory = new TomcatServletWebServerFactory();
tomcatServletContainerFactory.addContextCustomizers(new TomcatContextCustomizer(){
@Override
public void customize(Context context) {
SecurityConstraint constraint = new SecurityConstraint();
SecurityCollection collection = new SecurityCollection();
//http方法
collection.addMethod("PUT");
collection.addMethod("DELETE");
collection.addMethod("HEAD");
collection.addMethod("OPTIONS");
collection.addMethod("TRACE");
//url匹配表达式
collection.addPattern("/*");
constraint.addCollection(collection);
constraint.setAuthConstraint(true);
context.addConstraint(constraint );

//设置使用httpOnly
context.setUseHttpOnly(true);
}
});
return tomcatServletContainerFactory;
}
}

如果 SpringBoot 的版本低于2.0,可以将 TomcatServletWebServerFactory替换成 EmbeddedServletContainerFactory

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
@Configuration
public class TomcatConfig {
@Bean
public TomcatServletWebServerFactory servletContainer() {
TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
@Override
protected void postProcessContext(Context context) {
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
collection.addMethod("HEAD");
collection.addMethod("PUT");
collection.addMethod("DELETE");
collection.addMethod("OPTIONS");
collection.addMethod("TRACE");
collection.addMethod("COPY");
collection.addMethod("SEARCH");
collection.addMethod("PROPFIND");
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
}
};
//如果需要禁用TRACE请求,需添加以下代码:
tomcat.addConnectorCustomizers(connector -> {
connector.setAllowTrace(true);
});
return tomcat;
}
}