在服務器漏掃中經常遇到"遠端www服務支持TRACE請求"漏洞,綠盟掃描器所提供修復建議有不適用的情況。對已經處理過的不同應用禁用TRACE請求做一總結記錄。
首先漏洞驗證:
模擬trace請求,假設報漏洞的端口是8081:
curl -v -X TRACE -I localhost:8081
如果回顯為:
< HTTP/1.1 200 OK HTTP/1.1 200 OK < Content-Type: message/http Content-Type: message/http
則該端口服務支持trace請求,漏洞存在。
如果回顯為:
< HTTP/1.1 403 Forbidden < Content-Type: text/html; charset=iso-8859-1 或者回顯為 < HTTP/1.1 405 Method Not Allowed < Content-Type: text/html; charset=iso-8859-1
則該漏洞不存在。
漏洞修復:
1.對於apache:
對於2.0.55以上版本的apache服務器,
在httpd.conf尾部添加如下指令后重啟apache即可:
TraceEnable off
其它版本的Apache服務器可編輯httpd.conf文件:
激活rewrite模塊(去掉符號 # ):
LoadModule rewrite_module modules/mod_rewrite.so
在各虛擬主機的配置文件里添加如下語句:
# 啟用 Rewrite 引擎
RewriteEngine On
# 對Request中的Method字段進行匹配:^TRACE 即以TRACE字符串開頭
RewriteCond %{REQUEST_METHOD} ^TRACE
# 定義規則:對於所有格式的來源請求,均返回[F]-Forbidden響應
RewriteRule .* - [F]
注:可以在httpd.conf里搜索VirtualHost確定虛擬主機的配置文件。
2.對於非內嵌tomcat:
直接修改tomcat根目錄conf目錄下的web.xml,
在文件末尾(</web-app>之前)添加如下代碼:
<security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> </web-resource-collection> <auth-constraint> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config>
注:在tomcat的在server.xml中先允許TRACE請求,再在web.xml中禁用TRACE,以此禁用TRACE請求.
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" allowTrace="true" redirectPort="8443" />
3.對於spring boot內嵌tomcat:
配置TomcatConfig.java
1 import org.apache.catalina.Context; 2 import org.apache.tomcat.util.descriptor.web.SecurityCollection; 3 import org.apache.tomcat.util.descriptor.web.SecurityConstraint; 4 import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory; 5 import org.springframework.boot.context.embedded.tomcat.TomcatContextCustomizer; 6 import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory; 7 import org.springframework.context.annotation.Bean; 8 import org.springframework.context.annotation.Configuration; 9 10 @Configuration 11 public class TomcatConfig { 12 13 @Bean 14 public EmbeddedServletContainerFactory servletContainer() { 15 TomcatEmbeddedServletContainerFactory tomcatServletContainerFactory = new TomcatEmbeddedServletContainerFactory(); 16 tomcatServletContainerFactory.addContextCustomizers(new TomcatContextCustomizer(){ 17 @Override 18 public void customize(Context context) { 19 SecurityConstraint securityConstraint = new SecurityConstraint(); 20 securityConstraint.setUserConstraint("CONFIDENTIAL"); 21 SecurityCollection collection = new SecurityCollection(); 22 23 collection.addPattern("/*"); 24 collection.addMethod("HEAD"); 25 collection.addMethod("PUT"); 26 collection.addMethod("DELETE"); 27 collection.addMethod("OPTIONS"); 28 collection.addMethod("TRACE"); 29 collection.addMethod("COPY"); 30 collection.addMethod("SEARCH"); 31 collection.addMethod("PROPFIND"); 32 securityConstraint .addCollection(collection); 33 context.addConstraint(securityConstraint ); 34 } 35 }); 36 37 //禁用TRACE請求 38 tomcatServletContainerFactory.addConnectorCustomizers(connector -> { 39 connector.setAllowTrace(true); 40 }); 41 return tomcatServletContainerFactory; 42 } 43 }
4.對於非內嵌式Jetty:
在jetty.xml中增加配置:
1 <security-constraint> 2 <web-resource-collection> 3 <web-resource-name>NoTrace</web-resource-name> 4 <url-pattern>/*</url-pattern> 5 <http-method>TRACE</http-method> 6 </web-resource-collection> 7 <auth-constraint></auth-constraint> 8 </security-constraint>
5.對於Springboot內嵌式Jetty:
由於這種情況沒有實際操作過,代碼參考其他博主。采用攔截器來過濾所有的trace請求->啟動類增加配置來實現,或者和內嵌式tomcat一樣直接添加Jetty配置類來實現也可以。
參考鏈接:https://blog.csdn.net/qq_33479841/article/details/109769790