處理weblogic、tomcat關閉不安全的http請求

roc_guo發表於2021-07-23
導讀 不安全的HTTP方法一般包括:TRACE、PUT、DELETE、COPY 等。其中最常見的為TRACE方法可以回顯伺服器收到的請求,主要用於測試或診斷,惡意攻擊者可以利用該方法進行跨站跟蹤攻擊(即XST攻擊),從而進行網站釣魚、盜取管理員cookie等。

處理weblogic、tomcat關閉不安全的http請求處理weblogic、tomcat關閉不安全的http請求

禁止不安全的http請求方式PUT、DELETE、HEAD、OPTIONS、TRACE等,只保留GET和POST請求。其中tomcat和weblogic部署解決方案都是在web.xml中新增配置檔案,但格式有所差異,詳情如下:

Tomcat配置方法

1)Tomcat:在web.xml中新增:

<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>PATCH</http-method>
<http-method>COPY</http-method>
<http-method>LINK</http-method>
<http-method>UNLINK</http-method>
<http-method>PURGE</http-method>
<http-method>LOCK</http-method>
<http-method>UNLOCK</http-method>
<http-method>PROPFIND</http-method>
<http-method>VIEW</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
weblogic配置方法

2)Weblogic:在web.xml中新增:

<security-constraint>
<web-resource-collection>
<web-resource-name>sgpssc</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>PATCH</http-method>
<http-method>COPY</http-method>
<http-method>LINK</http-method>
<http-method>UNLINK</http-method>
<http-method>PURGE</http-method>
<http-method>LOCK</http-method>
<http-method>UNLOCK</http-method>
<http-method>PROPFIND</http-method>
<http-method>VIEW</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>

可以透過谷歌瀏覽器的外掛Postman工具檢測,是否修復。

原文來自: https://www.linuxprobe.com/weblogic-tomcat-http.html

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/69955379/viewspace-2783050/,如需轉載,請註明出處,否則將追究法律責任。

相關文章