| 导读 | 不安全的HTTP方法一般包括:TRACE、PUT、DELETE、COPY 等。其中最常见的为TRACE方法可以回显服务器收到的请求,主要用于测试或诊断,恶意攻击者可以利用该方法进行跨站跟踪攻击(即XST攻击),从而进行网站钓鱼、盗取管理员cookie等。 |
禁止不安全的http请求方式PUT、DELETE、HEAD、OPTIONS、TRACE等,只保留GET和POST请求。其中tomcat和weblogic部署解决方案都是在web.xml中添加配置文件,但格式有所差异,详情如下:
Tomcat配置方法
1)Tomcat:在web.xml中添加:
<security-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> <http-method>PATCH</http-method> <http-method>COPY</http-method> <http-method>LINK</http-method> <http-method>UNLINK</http-method> <http-method>PURGE</http-method> <http-method>LOCK</http-method> <http-method>UNLOCK</http-method> <http-method>PROPFIND</http-method> <http-method>VIEW</http-method> </web-resource-collection> <auth-constraint> </auth-constraint> </security-constraint>
weblogic配置方法
2)Weblogic:在web.xml中添加:
<security-constraint> <web-resource-collection> <web-resource-name>sgpssc</web-resource-name> <url-pattern>/*</url-pattern> <http-method>PUT</http-method> <http-method>DELETE</http-method> <http-method>HEAD</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> <http-method>PATCH</http-method> <http-method>COPY</http-method> <http-method>LINK</http-method> <http-method>UNLINK</http-method> <http-method>PURGE</http-method> <http-method>LOCK</http-method> <http-method>UNLOCK</http-method> <http-method>PROPFIND</http-method> <http-method>VIEW</http-method> </web-resource-collection> <auth-constraint/> </security-constraint>
可以通过谷歌浏览器的插件Postman工具检测,是否修复。
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/126679.html