183 | 中 | 10.199.20.12 | - | 8010(通用) | 5 | 否 | 信息泄露 | 允许HTTP TRACE / TRACK方法【原理扫描】 | 1 | - | SF-2022-00684 | 远程Web服务器支持TRACE和/或TRACK方法。 TRACE和TRACK是用于调试Web服务器连接的HTTP方法。 | 通过一个跨站追踪攻击窃取cookies和验证信任 | 如果不使用该服务就禁用它 | http://www.apacheweek.com/issues/03-01-24 https://download.oracle.com/sunalerts/1000718.1.html https://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf https://www.cnnvd.org.cn/home/globalSearch?keyword=CNNVD-201001-256 https://www.cnnvd.org.cn/home/globalSearch?keyword=CNNVD-200412-533 https://www.cnnvd.org.cn/home/globalSearch?keyword=CNNVD-200901-175 | 通过TRACE方法发送请求 收到响应状态码: 200 |
/** * BladeX Commercial License Agreement * Copyright (c) 2018-2099, https://bladex.cn. All rights reserved. * <p> * Use of this software is governed by the Commercial License Agreement * obtained after purchasing a license from BladeX. * <p> * 1. This software is for development use only under a valid license * from BladeX. * <p> * 2. Redistribution of this software's source code to any third party * without a commercial license is strictly prohibited. * <p> * 3. Licensees may copyright their own code but cannot use segments * from this software for such purposes. Copyright of this software * remains with BladeX. * <p> * Using this software signifies agreement to this License, and the software * must not be used for illegal purposes. * <p> * THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY. The author is * not liable for any claims arising from secondary or illegal development. * <p> * Author: Chill Zhuang (bladejava@qq.com) */ package org.springblade.common.filter; import jakarta.servlet.*; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; import org.springframework.stereotype.Component; import java.io.IOException; /** * Http过滤器 * * @author BladeX */ @Component public class HttpFilter implements Filter { @Override public void init(FilterConfig filterConfig) { } @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest) servletRequest; HttpServletResponse httpResponse = (HttpServletResponse) servletResponse; // 获取请求方法 String method = httpRequest.getMethod(); // 如果请求方法是 TRACE 或 TRACK,返回 405 Method Not Allowed if ("TRACE".equalsIgnoreCase(method) || "TRACK".equalsIgnoreCase(method)) { httpResponse.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED); // HTTP 405 httpResponse.getWriter().write("Method Not Allowed"); return; } // 否则,继续过滤链中的下一个 Filter 或 Servlet filterChain.doFilter(httpRequest, httpResponse); } @Override public void destroy() { } }
另外请给我们邮箱:bladejava@qq.com 发一个邮件提供授权公司名,登记为商业账号后方可进行商业版问题答疑。
讨论(0)
官方新品
- 热议问题
-
物联网APP登录接口在后端提示404, 前端提示跨域问题
1
-
代码生成主子表,查询子表报错了,想问下啥原因哦,sql放数据库执行没报错,用的db2数据库
1
-
swagger文档本地调试,获取token接口请求参数问题
1
-
使用PostgreSQL数据库,执行下列代码时报错
1
-
minio设置的是private的,blade现在能支持直接返回配置的外网Ip吗?
2
-
AVUE中配置可展开表格+复选框 Avue升级后3.6.3版本复选框无法显示
1
-
BladeX4.5.0引入MapStructPlus失败
1
-
mapper中的page和list两个方法,如果配置同一种数据权限。
1
-
方法中引入 MinioTemplate 问题
1
-
想问一下如果觉得本地服务启动的太多了 修改什么配置能让调用服务走服务器上部署的基础服务呢
1
扫一扫访问 Blade技术社区 移动端