TRACE和TRACK是用于调试Web服务器连接的HTTP方法。

Blade 未结

关注举报

 1  135

novl 剑童 2025-04-01 14:14

183

中

10.199.20.12

8010(通用)

否

信息泄露

允许HTTP TRACE / TRACK方法【原理扫描】

SF-2022-00684

远程Web服务器支持TRACE和/或TRACK方法。 TRACE和TRACK是用于调试Web服务器连接的HTTP方法。

通过一个跨站追踪攻击窃取cookies和验证信任

如果不使用该服务就禁用它

http://www.apacheweek.com/issues/03-01-24
https://download.oracle.com/sunalerts/1000718.1.html
https://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
https://www.cnnvd.org.cn/home/globalSearch?keyword=CNNVD-201001-256
https://www.cnnvd.org.cn/home/globalSearch?keyword=CNNVD-200412-533
https://www.cnnvd.org.cn/home/globalSearch?keyword=CNNVD-200901-175

通过TRACE方法发送请求
收到响应状态码: 200

1条回答

admin - BladeX作者

2025-04-01 15:54

 /**
 * BladeX Commercial License Agreement
 * Copyright (c) 2018-2099, https://bladex.cn. All rights reserved.
 * <p>
 * Use of this software is governed by the Commercial License Agreement
 * obtained after purchasing a license from BladeX.
 * <p>
 * 1. This software is for development use only under a valid license
 * from BladeX.
 * <p>
 * 2. Redistribution of this software's source code to any third party
 * without a commercial license is strictly prohibited.
 * <p>
 * 3. Licensees may copyright their own code but cannot use segments
 * from this software for such purposes. Copyright of this software
 * remains with BladeX.
 * <p>
 * Using this software signifies agreement to this License, and the software
 * must not be used for illegal purposes.
 * <p>
 * THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY. The author is
 * not liable for any claims arising from secondary or illegal development.
 * <p>
 * Author: Chill Zhuang (bladejava@qq.com)
 */
package org.springblade.common.filter;
 
import jakarta.servlet.*;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.stereotype.Component;
 
import java.io.IOException;
 
/**
 * Http过滤器
 *
 * @author BladeX
 */
@Component
public class HttpFilter implements Filter {
 
 
    @Override
    public void init(FilterConfig filterConfig) {
    }
 
 
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
 
       HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
       HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
 
       // 获取请求方法
       String method = httpRequest.getMethod();
 
       // 如果请求方法是 TRACE 或 TRACK，返回 405 Method Not Allowed
       if ("TRACE".equalsIgnoreCase(method) || "TRACK".equalsIgnoreCase(method)) {
          httpResponse.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);  // HTTP 405
          httpResponse.getWriter().write("Method Not Allowed");
          return;
       }
 
       // 否则，继续过滤链中的下一个 Filter 或 Servlet
       filterChain.doFilter(httpRequest, httpResponse);
 
    }
 
    @Override
    public void destroy() {
    }
}

另外请给我们邮箱：bladejava@qq.com 发一个邮件提供授权公司名，登记为商业账号后方可进行商业版问题答疑。

	/**
	* BladeX Commercial License Agreement
	* Copyright (c) 2018-2099, https://bladex.cn. All rights reserved.
	* <p>
	* Use of this software is governed by the Commercial License Agreement
	* obtained after purchasing a license from BladeX.
	* <p>
	* 1. This software is for development use only under a valid license
	* from BladeX.
	* <p>
	* 2. Redistribution of this software's source code to any third party
	* without a commercial license is strictly prohibited.
	* <p>
	* 3. Licensees may copyright their own code but cannot use segments
	* from this software for such purposes. Copyright of this software
	* remains with BladeX.
	* <p>
	* Using this software signifies agreement to this License, and the software
	* must not be used for illegal purposes.
	* <p>
	* THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY. The author is
	* not liable for any claims arising from secondary or illegal development.
	* <p>
	* Author: Chill Zhuang (bladejava@qq.com)
	*/
	package org.springblade.common.filter;

	import jakarta.servlet.*;
	import jakarta.servlet.http.HttpServletRequest;
	import jakarta.servlet.http.HttpServletResponse;
	import org.springframework.stereotype.Component;

	import java.io.IOException;

	/**
	* Http过滤器
	*
	* @author BladeX
	*/
	@Component
	public class HttpFilter implements Filter {


	@Override
	public void init(FilterConfig filterConfig) {
	}


	@Override
	public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {

	HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
	HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;

	// 获取请求方法
	String method = httpRequest.getMethod();

	// 如果请求方法是 TRACE 或 TRACK，返回 405 Method Not Allowed
	if ("TRACE".equalsIgnoreCase(method) \|\| "TRACK".equalsIgnoreCase(method)) {
	httpResponse.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED); // HTTP 405
	httpResponse.getWriter().write("Method Not Allowed");
	return;
	}

	// 否则，继续过滤链中的下一个 Filter 或 Servlet
	filterChain.doFilter(httpRequest, httpResponse);

	}

	@Override
	public void destroy() {
	}
	}