zoukankan      html  css  js  c++  java
  • 解决安全扫描Insecure HTTP Methods Enabled的问题

    今天把Spring MVC的Java网站部署到CentOS上,并且设置了https/ssl 8443端口,然后用IBM Rational AppScan进行安全扫描,发现一个漏洞:Insecure HTTP Methods Enabled. 原因是Tomcat支持的http命令中包含DELETE、OPTIONS、PUT、HEAD和TRACE这五条命令。

     

     漏洞描述和建议:

    Insecure HTTP Methods Enabled

    Severity:  Medium
    Type: Infrastructure test
    WASC Threat Classification: Client-side Attacks: Content Spoofing
    CVE Reference(s): N/A
    Security Risk: It is possible to upload, modify or delete web pages, scripts and files on the web server

    Fix Recommendation
    If you do not need WebDAV enabled on your server, make sure that you either disable it, or disallow HTTP methods (verbs) that are unneeded.

    解决办法

    参考了这个帖子,但小题大做了,只需修改网站的web.xml添加下面的内容即可。

    <security-constraint>
         <web-resource-collection>
              <web-resource-name>DisableUnsecureHttpActions</web-resource-name>
              <url-pattern>/*</url-pattern>
              <http-method>DELETE</http-method>
              <http-method>PUT</http-method>
              <http-method>HEAD</http-method>
              <http-method>TRACE</http-method>
              <http-method>OPTIONS</http-method>
         </web-resource-collection>
         <auth-constraint>
            <role-name>NotExistingRole</role-name>
         </auth-constraint>
         <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
         </user-data-constraint>
     </security-constraint>

    有关Security-constraint的理解,可以参考这个帖子。

    作者的其它相关文章

  • 相关阅读:
    简约 高效 基层管理体制
    六大纪律
    平行文
    党章
    四大考验 四大危险
    创新、协调、绿色、开放、共享五大发展理念
    微信公众号-->微信html页面缓存问题
    本地kafka环境部署
    >>读懂一本书:樊登读书法>>-->摘抄
    海龟交易法则(第3版)-->摘抄
  • 原文地址:https://www.cnblogs.com/Mainz/p/2777679.html
Copyright © 2011-2022 走看看