近期使用绿盟扫描工具对 Web 系统进行扫描,出现了检测到目标服务器启用了 TRACE 方法的高级漏洞,TRACE 是 HTTP 协议定义的一种请求方法,该方法会使服务器原样返回任意客户端请求的任何内容,因此可以用来进行跨站点脚本攻击(XSS 攻击),这种攻击方式又称为跨站跟踪攻击(XST)。
绿盟的报告中给出了相应的方案:
- 2.0.55 以上版本的 Apache 服务器,可以在
httpd.conf
的尾部添加:
2.如果你使用的是 Apache:
- 确认 rewrite 模块激活(httpd.conf)
1
| LoadModule rewrite_module modules/mod_rewrite.so
|
1
| RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .*
|
我们的项目是基于 SpringBoot的单机web项目,并没有使用到Apache服务器。查询相关资料,得知在Tomcat的web.xml文件中可以配置HTTP的请求方式,禁止不安全的请求类型:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| <security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> </web-resource-collection> <auth-constraint> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config>
|
如果使用的是SpringBoot内置的Tomcat容器的话,可以配置Tomcat的配置类,将配置注入到Spring容器中:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
| @Configuration public class TomcatConfig { @Bean public TomcatServletWebServerFactory servletContainer() { TomcatServletWebServerFactory tomcatServletContainerFactory = new TomcatServletWebServerFactory(); tomcatServletContainerFactory.addContextCustomizers(new TomcatContextCustomizer(){ @Override public void customize(Context context) { SecurityConstraint constraint = new SecurityConstraint(); SecurityCollection collection = new SecurityCollection(); collection.addMethod("PUT"); collection.addMethod("DELETE"); collection.addMethod("HEAD"); collection.addMethod("OPTIONS"); collection.addMethod("TRACE"); collection.addPattern("/*"); constraint.addCollection(collection); constraint.setAuthConstraint(true); context.addConstraint(constraint );
context.setUseHttpOnly(true); } }); return tomcatServletContainerFactory; } }
|
如果 SpringBoot 的版本低于2.0,可以将 TomcatServletWebServerFactory
替换成 EmbeddedServletContainerFactory
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
| @Configuration public class TomcatConfig { @Bean public TomcatServletWebServerFactory servletContainer() { TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() { @Override protected void postProcessContext(Context context) { SecurityConstraint securityConstraint = new SecurityConstraint(); securityConstraint.setUserConstraint("CONFIDENTIAL"); SecurityCollection collection = new SecurityCollection(); collection.addPattern("/*"); collection.addMethod("HEAD"); collection.addMethod("PUT"); collection.addMethod("DELETE"); collection.addMethod("OPTIONS"); collection.addMethod("TRACE"); collection.addMethod("COPY"); collection.addMethod("SEARCH"); collection.addMethod("PROPFIND"); securityConstraint.addCollection(collection); context.addConstraint(securityConstraint); } }; tomcat.addConnectorCustomizers(connector -> { connector.setAllowTrace(true); }); return tomcat; } }
|