共计 1637 个字符,预计需要花费 5 分钟才能阅读完成。
| 导读 | 不安全的 HTTP 方法一般包括:TRACE、PUT、DELETE、COPY 等。其中最常见的为 TRACE 方法可以回显服务器收到的请求,主要用于测试或诊断,恶意攻击者可以利用该方法进行跨站跟踪攻击(即 XST 攻击),从而进行网站钓鱼、盗取管理员 cookie 等。 |
禁止不安全的 http 请求方式 PUT、DELETE、HEAD、OPTIONS、TRACE 等,只保留 GET 和 POST 请求。其中 tomcat 和 weblogic 部署解决方案都是在 web.xml 中添加配置文件,但格式有所差异,详情如下:
Tomcat 配置方法
1)Tomcat:在 web.xml 中添加:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>PATCH</http-method>
<http-method>COPY</http-method>
<http-method>LINK</http-method>
<http-method>UNLINK</http-method>
<http-method>PURGE</http-method>
<http-method>LOCK</http-method>
<http-method>UNLOCK</http-method>
<http-method>PROPFIND</http-method>
<http-method>VIEW</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>weblogic 配置方法
2)Weblogic: 在 web.xml 中添加:
<security-constraint>
<web-resource-collection>
<web-resource-name>sgpssc</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>PATCH</http-method>
<http-method>COPY</http-method>
<http-method>LINK</http-method>
<http-method>UNLINK</http-method>
<http-method>PURGE</http-method>
<http-method>LOCK</http-method>
<http-method>UNLOCK</http-method>
<http-method>PROPFIND</http-method>
<http-method>VIEW</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>可以通过谷歌浏览器的插件 Postman 工具检测,是否修复。
正文完
星哥说事-微信公众号
