1

A security company has flagged our Spring Boot 2.3.4 applications for the error response returned when an HTTP TRACE request is sent. We are using the Tomcat container which already has the HTTP TRACE disabled by default, however the response does contain TRACE information. This is the output:

$ curl -k -i -X TRACE --cookie "VULNERABLE=Yes" http://localhost:9090

HTTP/1.1 405
Allow: HEAD, DELETE, POST, GET, OPTIONS, PUT
Content-Type: message/http
Content-Length: 116
Date: Fri, 16 Oct 2020 20:41:51 GMT

TRACE /error HTTP/1.1
host: localhost:9090
user-agent: curl/7.64.1
accept: */*
cookie: VULNERABLE=Yes

The only way I have been able to change this is to enable HTTP TRACE requests with this code in the configuration class annotated with "@Configuration":

    @Bean
    public WebServerFactoryCustomizer<TomcatServletWebServerFactory> tomcatCustomizer() {
        return customizer -> customizer.addConnectorCustomizers(connector -> {
            connector.setAllowTrace(true);  // filtered in the SecurityFilter with custom error
        });
    }

Then I have added a servlet filter to intercept the request and return a custom response:

@Component
@Order(1)
public class SecurityFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest servletRequest,
                         ServletResponse servletResponse,
                         FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        if (HttpMethod.TRACE.name().equals(request.getMethod())) {
            // trace not allowed
            HttpServletResponse response = (HttpServletResponse) servletResponse;
            response.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
            response.setContentType("message/http");
            response.getWriter().println("TRACE method not allowed");
            response.getWriter().flush();
            return;
        }
        filterChain.doFilter(servletRequest,servletResponse);
    }

    @Override
    public void destroy() {
    }
}

The response from that same curl request is:

HTTP/1.1 405 
Content-Type: message/http;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 12 Nov 2020 19:11:13 GMT

TRACE method not allowed

Has anyone encountered a similar issue? It seems like enabling trace just to be able to change the response body is not a good idea.

Jesse
  • 623
  • 1
  • 3
  • 4
  • there are 3 ways you can do it this in spring boot, check https://stackoverflow.com/questions/42367975/disable-http-options-method-in-spring-boot-application – özkan pakdil Dec 10 '20 at 22:36

1 Answers1

0

you can set

spring.mvc.dispatch-trace-request: true

in your application.yml.

then, "org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController" will create error response without any trace information.

regards.

iwa
  • 1