解决安全扫描Insecure HTTP Methods Enabled的问题

今天把Spring MVC的Java网站部署到CentOS上，并且设置了https/ssl 8443端口，然后用IBM Rational AppScan进行安全扫描，发现一个漏洞：Insecure HTTP Methods Enabled. 原因是Tomcat支持的http命令中包含DELETE、OPTIONS、PUT、HEAD和TRACE这五条命令。

 

 漏洞描述和建议：

Insecure HTTP Methods Enabled

Severity:  Medium
Type: Infrastructure test
WASC Threat Classification: Client-side Attacks: Content Spoofing
CVE Reference(s): N/A
Security Risk: It is possible to upload, modify or delete web pages, scripts and files on the web server

Fix Recommendation
If you do not need WebDAV enabled on your server, make sure that you either disable it, or disallow HTTP methods (verbs) that are unneeded.

 

解决办法

参考了这个帖子，但小题大做了，只需修改网站的web.xml添加下面的内容即可。

<security-constraint>

     <web-resource-collection>

          <web-resource-name>DisableUnsecureHttpActions</web-resource-name>

          <url-pattern>/*</url-pattern>

          <http-method>DELETE</http-method>

          <http-method>PUT</http-method>

          <http-method>HEAD</http-method>

          <http-method>TRACE</http-method>

          <http-method>OPTIONS</http-method>

     </web-resource-collection>

     <auth-constraint>

        <role-name>NotExistingRole</role-name>

     </auth-constraint>

     <user-data-constraint>

        <transport-guarantee>NONE</transport-guarantee>

     </user-data-constraint>

 </security-constraint>

有关Security-constraint的理解，可以参考这个帖子。

作者的其它相关文章

• Spring MVC防御CSRF、XSS和SQL注入攻击
• Tomcat的SessionID引起的Session Fixation和Session Hijacking问题