본문 바로가기
📚 개발 공부

[CVE 관련 조치] HTTP TRACE Method Enabled 취약점 조치

by cheonvi 2022. 1. 5.

Springboot 프레임워크로 restfulapi를 개발을 하고 배포를 하게 되었는데 HTTP TRACE Method Enabled에 대한 취약점

 

보안 발생을 하였습니다.

 

curl으로 TRACE 호출 시 "TRACE method not allowed" 라는 문구가 나오지 않는 문제로 인하여 취약점 발생하여 이 문

 

구를 발생하도록 Springboot  소스를 개선하였습니다.

 

■ 우선 Springboot에 내장되어 있는 톰켓에 대하여 trace method에 대한 허용 설정 

 

import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class TomcatConfig {

	
	@Bean
    public WebServerFactoryCustomizer<TomcatServletWebServerFactory> tomcatCustomizer() {
        return customizer -> customizer.addConnectorCustomizers(connector -> {
            connector.setAllowTrace(true);  //filtered in the SecurityFilter with custom error
        });
    }
}

 

■  HttpMethod TRACE 가 들어오게 되면 TRACE method not allowed 문구를 출력하도록 filter class 추가 

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.core.annotation.Order;
import org.springframework.http.HttpMethod;
import org.springframework.stereotype.Component;

@Component
@Order(1)
public class SecurityFilter implements Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }
    @Override
    public void destroy() {
    }
	@Override
	public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
			throws IOException, ServletException {
		// TODO Auto-generated method stub
		
		 HttpServletRequest request= (HttpServletRequest) req;
	        if (HttpMethod.TRACE.name().equals(request.getMethod())) {
	            //trace not allowed
	            HttpServletResponse response= (HttpServletResponse) res;
	            response.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
	            response.setContentType("message/http");
	            response.getWriter().println("TRACE method not allowed");
	            response.getWriter().flush();
	            return;
	        }
	        chain.doFilter(req,res);
		
	}
}

■ 적용 확인

curl -k -i -X TRACE --cookie "VULNERABLE=yes" http://localhost:8082
HTTP/1.1 405
Content-Type: message/http;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Tue, 28 Dec 2021 10:10:50 GMT

TRACE method not allowed

관련글

티스토리툴바