如何禁用 HTTP TRACE/TRACK

HTTP TRACE/TRACK 漏洞问题

最近项目被安全稽核，发现有如下问题：

【问题】远端WWW服务支持TRACE请求。RFC 2616介绍了TRACE请求，该请求典型地用于测试HTTP协议实现。攻击者利用TRACE请求，结合其它浏览器端漏洞，有可能进行跨站脚本攻击，获取敏感信息，比如cookie中的认证信息，这些敏感信息将被用于其它类型的攻击。

1、发现问题

模拟确认： 指令 curl -v -X TRACE localhost:port

# 到服务器上面输入下面的命令
[root@dlp logs]$ curl -v -X TRACE localhost:8089
* About to connect() to localhost port 8089 (#0)
*   Trying ::1...
* Connected to localhost (::1) port 8089 (#0)
> TRACE / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost:8089
> Accept: */*
> 
< HTTP/1.1 200 OK
< Connection: keep-alive
< Content-Type: message/http; charset=UTF-8
< Content-Length: 78
< Date: Wed, 09 Nov 2022 11:49:34 GMT
< 
TRACE / HTTP/1.1
Accept: */*
User-Agent: curl/7.29.0
Host: localhost:8089
* Connection #0 to host localhost left intact
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

响应返回 200 ，即代表存在高危漏洞！

如果回显为，如下所示，则该漏洞不存在。

< HTTP/1.1 403 Forbidden
< Content-Type: text/html; charset=iso-8859-1
或者回显为
< HTTP/1.1 405 Method Not Allowed
< Content-Type: text/html; charset=iso-8859-1
1
2
3
4
5

显然，我们服务 8089 应该存在高危漏洞。

2、解决问题

如何解决？

由于我们应用是 spring-boot 内嵌 undertow 服务器， 那么就需要添加配置项，直接附上代码：

package com.example.demo.autoconfigure;

import io.undertow.server.HandlerWrapper;
import io.undertow.server.HttpHandler;
import io.undertow.server.handlers.DisallowedMethodsHandler;
import io.undertow.util.HttpString;
import org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.context.annotation.Configuration;


@Configuration
public class UndertowWebServerCustomizerConfig implements WebServerFactoryCustomizer<UndertowServletWebServerFactory> {

    @Override
    public void customize(UndertowServletWebServerFactory factory) {
        factory.addDeploymentInfoCustomizers(deploymentInfo -> {
            deploymentInfo.addInitialHandlerChainWrapper(new HandlerWrapper() {
                @Override
                public HttpHandler wrap(HttpHandler handler) {
                    HttpString[] disallowedHttpMethods = {HttpString.tryFromString("TRACE"),
                            HttpString.tryFromString("TRACK")};
                    return new DisallowedMethodsHandler(handler, disallowedHttpMethods);
                }
            });
        });
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

写好配置类之后：

• 在resources/META-INF/spring.factories中设置自动配置类。

org.springframework.boot.autoconfigure.EnableAutoConfiguration=\
com.example.demo.autoconfigure.UndertowWebServerCustomizerConfig
1
2

• 也可以注解方式，启动app类扫码该包路径即可；

3、拓展

3.1、对于spring boot内嵌tomcat:

配置TomcatConfig.java

 1 import org.apache.catalina.Context;
 2 import org.apache.tomcat.util.descriptor.web.SecurityCollection;
 3 import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
 4 import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory;
 5 import org.springframework.boot.context.embedded.tomcat.TomcatContextCustomizer;
 6 import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory;
 7 import org.springframework.context.annotation.Bean;
 8 import org.springframework.context.annotation.Configuration;
 9 
10 @Configuration
11 public class TomcatConfig {
12     
13     @Bean
14     public EmbeddedServletContainerFactory servletContainer() {
15         TomcatEmbeddedServletContainerFactory tomcatServletContainerFactory = new TomcatEmbeddedServletContainerFactory();
16         tomcatServletContainerFactory.addContextCustomizers(new TomcatContextCustomizer(){
17             @Override
18             public void customize(Context context) {
19                 SecurityConstraint securityConstraint  = new SecurityConstraint();
20                 securityConstraint.setUserConstraint("CONFIDENTIAL");  
21                 SecurityCollection collection = new SecurityCollection();
22                 
23                 collection.addPattern("/*");  
24                 collection.addMethod("HEAD");  
25                 collection.addMethod("PUT");  
26                 collection.addMethod("DELETE");  
27                 collection.addMethod("OPTIONS");  
28                 collection.addMethod("TRACE");  
29                 collection.addMethod("COPY");  
30                 collection.addMethod("SEARCH");  
31                 collection.addMethod("PROPFIND");  
32                 securityConstraint .addCollection(collection);  
33                 context.addConstraint(securityConstraint );  
34             }
35         });
36         
37         //禁用TRACE请求
38         tomcatServletContainerFactory.addConnectorCustomizers(connector -> {
39             connector.setAllowTrace(true);
40         });
41         return tomcatServletContainerFactory;
42     }
43 }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

引入方式同上！

3.2、 对于非内嵌式Jetty:

在jetty.xml中增加配置：

1 <security-constraint>
2     <web-resource-collection>
3         <web-resource-name>NoTraceweb-resource-name>
4         <url-pattern>/*url-pattern>
5         <http-method>TRACEhttp-method>
6     web-resource-collection>
7     <auth-constraint>auth-constraint>
8 security-constraint>
1
2
3
4
5
6
7
8

3.3、对于非内嵌tomcat：

直接修改tomcat根目录conf目录下的web.xml,
在文件末尾(之前)添加如下代码:

<security-constraint>
<web-resource-collection>
<url-pattern>/*url-pattern>
<http-method>PUThttp-method>
<http-method>DELETEhttp-method>
<http-method>HEADhttp-method>
<http-method>OPTIONShttp-method>
<http-method>TRACEhttp-method>
web-resource-collection>
<auth-constraint>
auth-constraint>
security-constraint>
<login-config>
<auth-method>BASICauth-method>
login-config>
注:在tomcat的在server.xml中先允许TRACE请求，再在web.xml中禁用TRACE，以此禁用TRACE请求.
<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" allowTrace="true"
               redirectPort="8443" />
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

3.4、对于apache:

对于2.0.55以上版本的apache服务器，
在httpd.conf尾部添加如下指令后重启apache即可:
TraceEnable off