Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable HTTP TRACE and TRACK methods #391

Merged

Conversation

tbowman-sfmc
Copy link
Contributor

Corporate Security Scanners find both the HTTP TRACE and TRACK methods to be exploitable so this modifies the default behavior of Undertow to disallow those methods. I've included a test to ensure that rejection occurs.

Copy link
Collaborator

@davideicardi davideicardi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! LGTM! Just one question:
There is a specific security issues regarding Trace and Track methods? Or is just a best practice?

@tbowman-sfmc
Copy link
Contributor Author

Trace has been used to steal user credentials so the recommendation is to disable it by default: https://owasp.org/www-community/attacks/Cross_Site_Tracing

Track is IIS specific but it gets lumped together with Trace since it shares the same vulnerabilities.

@tbowman-sfmc
Copy link
Contributor Author

Sorry, I missed your question at the bottom about the functions. The VO object would error out unless those functions were defined so I added them to get a successful test run.

@davideicardi davideicardi merged commit a907335 into obsidiandynamics:master Jun 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants