On 08/09/2021 14:14, Gilles Robert wrote:
Hi,Using Spring boot (2.5.4) with Tomcat (9.0.52), the HTTP TRACE method is disabled by default and returns a 405 method not allowed, which is what I expect security-wise. My issue is that if one gives a malicious header: header: malicious: <script>alert('malicious call');</script> it's given back in the response: TRACE /xyz/error HTTP/1.1 malicious: <script>alert('malicious call');</script> user-agent: PostmanRuntime/7.22.0 accept: */* host: localhost:8080 accept-encoding: gzip, deflate, br content-length: 0 connection: keep-alive This is conform to the RFC 2616 which states: "If the request is valid, the response SHOULD contain the entire request message in the entity-body, with a Content-Type of "message/http"."
Do you mean that you are seeing the TRACE response even when TRACE is disabled?
Or is the issue that if TRACE is enabled, then you see the "malicious" header in the response?
Mark
My penetration test team is complaining about it. How can I remove any HTML entities from the TRACE response, without having to enable it, cleaning the tags and returning the 405 myself? Thanks! --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
