Securing Tomcat – Part 3

Vulnerability: Allowed HTTP Methods: OPTIONS, PUT, DELETE, TRACE

Remediation:

– add in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>

How to check:
for method in OPTIONS GET HEAD POST PUT DELETE TRACE CONNECT ; do
echo -e “\n\nTrying $method\n\n”
echo -e “$method / HTTP/1.1\nHost: localhost\nConnection: close\n\n” | nc localhost 8180 | head -1
sleep 2
done

Note: Tomcat 8 is not vulnerable since JSP 2.3 specs only permit GET POST or HEAD.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s