解决安全扫描Insecure HTTP Methods Enabled的问题
今天把Spring MVC的Java网站部署到CentOS上,并且设置了https/ssl 8443端口,然后用IBM Rational AppScan进行安全扫描,发现一个漏洞:Insecure HTTP Methods Enabled. 原因是Tomcat支持的http命令中包含DELETE、OPTIONS、PUT、HEAD和TRACE这五条命令。
漏洞描述和建议:
Insecure HTTP Methods Enabled
Severity: Medium
Type: Infrastructure test
WASC Threat Classification: Client-side Attacks: Content Spoofing
CVE Reference(s): N/A
Security Risk: It is possible to upload, modify or delete web pages, scripts and files on the web server
Fix Recommendation
If you do not need WebDAV enabled on your server, make sure that you either disable it, or disallow HTTP methods (verbs) that are unneeded.
Severity: Medium
Type: Infrastructure test
WASC Threat Classification: Client-side Attacks: Content Spoofing
CVE Reference(s): N/A
Security Risk: It is possible to upload, modify or delete web pages, scripts and files on the web server
Fix Recommendation
If you do not need WebDAV enabled on your server, make sure that you either disable it, or disallow HTTP methods (verbs) that are unneeded.
解决办法
参考了这个帖子,但小题大做了,只需修改网站的web.xml添加下面的内容即可。
<security-constraint>
<web-resource-collection>
<web-resource-name>DisableUnsecureHttpActions</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>NotExistingRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<web-resource-collection>
<web-resource-name>DisableUnsecureHttpActions</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>NotExistingRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
有关Security-constraint的理解,可以参考这个帖子。