1.1, attack principle
Insecure HTTP methods PUT/DELETE/MOVE/COPY/TRACE/PROPFIND/PROPPATCH/MKCOL/LOCK/UNLOCK allow attackers to modify web server files, delete web pages, and even upload web shells to obtain user identity information, etc., they all have Serious security vulnerabilities may be created. Developers need to control HTTP request types to prevent unauthorized tampering of server resources.
1.2, case analysis
APPSCAN uses the meaningless HTTP verb bogus to initiate a request to the server, and the system returns normally, showing that the system does not restrict the judgment of the http request type, and there is an HTTP verb tampering vulnerability.
BOGUS /fams/admin/j_security_check HTTP/1.1
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://xxx-core-stg1.paic.com.cn/fams/
Host: xxx-core-stg1.paic.com.cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Win32)
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 477
Date: Wed, 14 Mar 2018 01:56:23 GMT
1.3, defense recommendations
1. Restrict http method, such as only allow GET, POST and other types
2. Use the Filter method provided in the J2EE standard for request type filtering
3. Check tomcat's web.xml, weblogic.xml configuration of weblogic, and restrict the request type, such as:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint></auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
4. Use the request.getMethod method to add a request interceptor in Struts, such as:
if(method.equalsIgnoreCase("post")||method.equalsIgnoreCase("get")||method.equalsIgnoreCase("head")||method.equalsIgnoreCase("trace")||method.equalsIgnoreCase("connect") ||method.equalsIgnoreCase("options")){}
5. Disable the WebDAV function of IIS. WebDAV is based on a communication protocol of HTTP 1.1. It adds some methods other than GET, POST, and HEAD to HTTP 1.1, so that applications can directly write files to the Web Server.
6. The following restrictions are set in the httpd.conf file of apache
<Location />
<LimitExcept GET POST HEAD CONNECT OPTIONS>
Order Allow,Deny
Deny from all
</LimitExcept>
</Location>
1.4, the actual repair plan
1. The server can be divided into two types: Tomcat and WebSphere (WAS). The local is Tomcat, plus the configuration mode of 2 and the mode of 3 is mainly for the WAS server.
2. Add the <security-constraint> configuration in the web.xml file.
3. If it is the requested static resource, save the subordinate field as a file .htaccess and place it under the static resource folder.
<LimitExcept GET POST>
Order deny,allow
Deny from all
</LimitExcept>
Dynamic resources need to be implemented in java code.
Refer to the limitexcept command on the official website, IHS is based on apache, and the syntax is the same.
http://httpd.apache.org/docs/2.4/mod/core.html#limitexcept
0 comments:
Post a Comment