183 | 中 | 10.199.20.12 | - | 8010(通用) | 5 | 否 | 信息泄露 | 允许HTTP TRACE / TRACK方法【原理扫描】 | 1 | - | SF-2022-00684 | 远程Web服务器支持TRACE和/或TRACK方法。 TRACE和TRACK是用于调试Web服务器连接的HTTP方法。 | 通过一个跨站追踪攻击窃取cookies和验证信任 | 如果不使用该服务就禁用它 | http://www.apacheweek.com/issues/03-01-24 https://download.oracle.com/sunalerts/1000718.1.html https://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf https://www.cnnvd.org.cn/home/globalSearch?keyword=CNNVD-201001-256 https://www.cnnvd.org.cn/home/globalSearch?keyword=CNNVD-200412-533 https://www.cnnvd.org.cn/home/globalSearch?keyword=CNNVD-200901-175 | 通过TRACE方法发送请求 收到响应状态码: 200 |
/**
* BladeX Commercial License Agreement
* Copyright (c) 2018-2099, https://bladex.cn. All rights reserved.
* <p>
* Use of this software is governed by the Commercial License Agreement
* obtained after purchasing a license from BladeX.
* <p>
* 1. This software is for development use only under a valid license
* from BladeX.
* <p>
* 2. Redistribution of this software's source code to any third party
* without a commercial license is strictly prohibited.
* <p>
* 3. Licensees may copyright their own code but cannot use segments
* from this software for such purposes. Copyright of this software
* remains with BladeX.
* <p>
* Using this software signifies agreement to this License, and the software
* must not be used for illegal purposes.
* <p>
* THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY. The author is
* not liable for any claims arising from secondary or illegal development.
* <p>
* Author: Chill Zhuang (bladejava@qq.com)
*/
package org.springblade.common.filter;
import jakarta.servlet.*;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.stereotype.Component;
import java.io.IOException;
/**
* Http过滤器
*
* @author BladeX
*/
@Component
public class HttpFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
// 获取请求方法
String method = httpRequest.getMethod();
// 如果请求方法是 TRACE 或 TRACK,返回 405 Method Not Allowed
if ("TRACE".equalsIgnoreCase(method) || "TRACK".equalsIgnoreCase(method)) {
httpResponse.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED); // HTTP 405
httpResponse.getWriter().write("Method Not Allowed");
return;
}
// 否则,继续过滤链中的下一个 Filter 或 Servlet
filterChain.doFilter(httpRequest, httpResponse);
}
@Override
public void destroy() {
}
}
另外请给我们邮箱:bladejava@qq.com 发一个邮件提供授权公司名,登记为商业账号后方可进行商业版问题答疑。
扫一扫访问 Blade技术社区 移动端