HTTP TRACE / TRACK Methods Allowed
Contents
参考资料
https://www.beyondsecurity.com/scan_pentest_network_vulnerabilities_http_trace_method_xss_vulnerability
https://www.tenable.com/plugins/nessus/11213
http://www.alphadevx.com/a/383-Disabling-the-TRACE-method-in-Apache2
https://community.pivotal.io/s/article/How-to-disable-HTTP-TRACE-for-Apache-httpd-Pivotal-Web-Server-and-How-to-test-HTTP-TRACE
影响说明
TRACE and TRACK are HTTP methods that are used to debug web server connections.
TRACE 和 TRACK方法是 web 服务器连接的调试方法.
Servers supporting this method are subject to cross-site-scripting attacks when used in conjunction with various weaknesses in browser.
这些 HTTP 方法被开启时可能导致服务器容易遭受 (与其他多种浏览器漏洞配合的) XSS 攻击。
检测方法
基于 Nmap 的方式
nmap -n -p80 -sT --script http-methods,http-trace 192.168.1.1
使用 curl, 如果该问题已修复,服务器会返回 405 Method Not Allowed 的响应
curl -i -X TRACE http://192.168.1.1/
解决方案
To disable these methods, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.
Nessus sent the following TRACE request :
------------------------------ snip ------------------------------
TRACE /Nessus962237332.html HTTP/1.1
Connection: Close
Host: 192.168.27.59
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
------------------------------ snip ------------------------------
and received the following response from the remote server :
------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Wed, 01 Aug 2018 06:57:59 GMT
Server: Apache/2.4.33 (Win64) PHP/5.6.35
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: message/http
TRACE /Nessus962237332.html HTTP/1.1
Connection: Keep-Alive
Host: 192.168.27.59
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
------------------------------ snip ------------------------------
方案一 httpd
在 httpd.conf
的末尾添加如下内容,然后重启 Apache2 服务。
TraceEnable off
方案二 虚拟主机
https://blog.csdn.net/andy1219111/article/details/7718553
http://www.techstacks.com/howto/disable-tracetrack-in-apache-httpd.html
首先需要保证 Apache2 开启 rewrite_module 模块
# httpd.conf
LoadModule rewrite_module "/usr/local/apache/modules/mod_rewrite.so"
虚拟主机用户可以在 .htaccess
文件中添加如下代码过滤TRACE请求.
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
Leave a Reply