今天把Spring MVC的Java网站部署到CentOS上,并且设置了https/ssl 8443端口,然后用IBM Rational AppScan进行安全扫描,发现一个漏洞:Insecure HTTP Methods Enabled. 原因是Tomcat支持的http命令中包含DELETE、OPTIONS、PUT、HEAD和TRACE这五条命令。
漏洞描述和建议:
Insecure HTTP Methods Enabled Severity: Medium Type: Infrastructure test WASC Threat Classification: Client-side Attacks: Content Spoofing CVE Reference(s): N/A Security Risk: It is possible to upload, modify or delete web pages, scripts and files on the web server Fix Recommendation If you do not need WebDAV enabled on your server, make sure that you either disable it, or disallow HTTP methods (verbs) that are unneeded.
解决办法
参考了帖子,但小题大做了,只需修改网站的web.xml添加下面的内容即可。
< security-constraint > < web-resource-collection > < web-resource-name >DisableUnsecureHttpActions </ web-resource-name > < url-pattern >/* </ url-pattern > < http-method >DELETE </ http-method > < http-method >PUT </ http-method > < http-method >HEAD </ http-method > < http-method >TRACE </ http-method > < http-method >OPTIONS </ http-method > </ web-resource-collection > < auth-constraint > < role-name >NotExistingRole </ role-name > </ auth-constraint > < user-data-constraint > < transport-guarantee >NONE </ transport-guarantee > </ user-data-constraint > </ security-constraint >
有关Security-constraint的理解,可以参考帖子。