TRACE和TRACK是用于调试Web服务器连接的HTTP方法。

Blade 未结

关注

 1  256

novl 2025-04-01 14:14

183

中

10.199.20.12

8010(通用)

否

信息泄露

允许HTTP TRACE / TRACK方法【原理扫描】

SF-2022-00684

远程Web服务器支持TRACE和/或TRACK方法。 TRACE和TRACK是用于调试Web服务器连接的HTTP方法。

通过一个跨站追踪攻击窃取cookies和验证信任

如果不使用该服务就禁用它

http://www.apacheweek.com/issues/03-01-24
https://download.oracle.com/sunalerts/1000718.1.html
https://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
https://www.cnnvd.org.cn/home/globalSearch?keyword=CNNVD-201001-256
https://www.cnnvd.org.cn/home/globalSearch?keyword=CNNVD-200412-533
https://www.cnnvd.org.cn/home/globalSearch?keyword=CNNVD-200901-175

通过TRACE方法发送请求
收到响应状态码: 200

1条回答

admin (楼主)

2025-04-01 15:54

* Use of this software is governed by the Commercial License Agreement * obtained after purchasing a license from BladeX. *

* 1. This software is for development use only under a valid license * from BladeX. *

* 2. Redistribution of this software's source code to any third party * without a commercial license is strictly prohibited. *

* 3. Licensees may copyright their own code but cannot use segments * from this software for such purposes. Copyright of this software * remains with BladeX. *

* Using this software signifies agreement to this License, and the software * must not be used for illegal purposes. *

* THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY. The author is * not liable for any claims arising from secondary or illegal development. *

* Author: Chill Zhuang (bladejava@qq.com) */ package org.springblade.common.filter; import jakarta.servlet.*; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; import org.springframework.stereotype.Component; import java.io.IOException; /** * Http过滤器 * * @author BladeX */ @Component public class HttpFilter implements Filter { @Override public void init(FilterConfig filterConfig) { } @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest) servletRequest; HttpServletResponse httpResponse = (HttpServletResponse) servletResponse; // 获取请求方法 String method = httpRequest.getMethod(); // 如果请求方法是 TRACE 或 TRACK，返回 405 Method Not Allowed if ("TRACE".equalsIgnoreCase(method) || "TRACK".equalsIgnoreCase(method)) { httpResponse.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED); // HTTP 405 httpResponse.getWriter().write("Method Not Allowed"); return; } // 否则，继续过滤链中的下一个 Filter 或 Servlet filterChain.doFilter(httpRequest, httpResponse); } @Override public void destroy() { } }

另外请给我们邮箱：bladejava@qq.com 发一个邮件提供授权公司名，登记为商业账号后方可进行商业版问题答疑。

0 讨论(0)