183 | 中 | 10.199.20.12 | - | 8010(通用) | 5 | 否 | 信息泄露 | 允许HTTP TRACE / TRACK方法【原理扫描】 | 1 | - | SF-2022-00684 | 远程Web服务器支持TRACE和/或TRACK方法。 TRACE和TRACK是用于调试Web服务器连接的HTTP方法。 | 通过一个跨站追踪攻击窃取cookies和验证信任 | 如果不使用该服务就禁用它 | http://www.apacheweek.com/issues/03-01-24 https://download.oracle.com/sunalerts/1000718.1.html https://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf https://www.cnnvd.org.cn/home/globalSearch?keyword=CNNVD-201001-256 https://www.cnnvd.org.cn/home/globalSearch?keyword=CNNVD-200412-533 https://www.cnnvd.org.cn/home/globalSearch?keyword=CNNVD-200901-175 | 通过TRACE方法发送请求 收到响应状态码: 200 |
/** * BladeX Commercial License Agreement * Copyright (c) 2018-2099, https://bladex.cn. All rights reserved. * <p> * Use of this software is governed by the Commercial License Agreement * obtained after purchasing a license from BladeX. * <p> * 1. This software is for development use only under a valid license * from BladeX. * <p> * 2. Redistribution of this software's source code to any third party * without a commercial license is strictly prohibited. * <p> * 3. Licensees may copyright their own code but cannot use segments * from this software for such purposes. Copyright of this software * remains with BladeX. * <p> * Using this software signifies agreement to this License, and the software * must not be used for illegal purposes. * <p> * THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY. The author is * not liable for any claims arising from secondary or illegal development. * <p> * Author: Chill Zhuang (bladejava@qq.com) */ package org.springblade.common.filter; import jakarta.servlet.*; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; import org.springframework.stereotype.Component; import java.io.IOException; /** * Http过滤器 * * @author BladeX */ @Component public class HttpFilter implements Filter { @Override public void init(FilterConfig filterConfig) { } @Override public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest) servletRequest; HttpServletResponse httpResponse = (HttpServletResponse) servletResponse; // 获取请求方法 String method = httpRequest.getMethod(); // 如果请求方法是 TRACE 或 TRACK,返回 405 Method Not Allowed if ("TRACE".equalsIgnoreCase(method) || "TRACK".equalsIgnoreCase(method)) { httpResponse.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED); // HTTP 405 httpResponse.getWriter().write("Method Not Allowed"); return; } // 否则,继续过滤链中的下一个 Filter 或 Servlet filterChain.doFilter(httpRequest, httpResponse); } @Override public void destroy() { } }
另外请给我们邮箱:bladejava@qq.com 发一个邮件提供授权公司名,登记为商业账号后方可进行商业版问题答疑。
讨论(0)
官方新品
- 热议问题
-
物联网平台支持本地存储吗,不用minio
1
-
bladx admin、gateway等项目起不来
1
-
解决sql注入问题导致gateway无法启动,报错java.io.FileNotFoundException:WebMvcConfigurer.class
1
-
一个用户绑定多角色,在登陆后获取其并集
1
-
mvn clean compile 编译 BladeX-Tool 提示 ... /ojdbc7-12.2.0.1.pom 401 Unauthorized
2
-
gateway无法启动,报错java.io.FileNotFoundException:WebMvcConfigurer.class
1
-
cookie中token缺失HttpOnly和Secure属性
1
-
在nacos配置多数据库之后sql日志不能正常打印了
1
-
无法本地调试服务
1
-
启动流程设计器工程flowable-design,表act_id_property用的是版本6.5.0.1,需要引入哪些依赖
1
扫一扫访问 Blade技术社区 移动端