Re: Http TRACE method headers in response body
Mark, On 9/9/21 03:05, Mark Thomas wrote: On 08/09/2021 20:50, Christopher Schultz wrote: Mark, On 9/8/21 11:28, Mark Thomas wrote: On 08/09/2021 16:15, Gilles Robert wrote: My issue is that even though TRACE is disabled, we see the "malicious" header in the response. You need to talk to the Spring folks then. Default Tomcat behaviour is to return a 405 with an error message in the response. I've just doubled checked this with telnet and 9.0.x. As an aside, the idea that any TRACE response is a security issue with the server, whether it contains a "malicious" header or not is nonsense. The only thing a user agent anywhere should be doing with a TRACE response is displaying it as plain text. If a user agent does something else with the response, and especially if it does something reckless like treating it is HTML, then than is a security issue with the user agent, not the server. Super duper vuln: $ curl -X TRACE --header '' myurl | bash RCE every time, bro. :) You would have got bonus points if the first character was '#' rather than '$'. sudo make me a sandwich[1] ? -chris [1] https://xkcd.com/149/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Http TRACE method headers in response body
On 08/09/2021 20:50, Christopher Schultz wrote: Mark, On 9/8/21 11:28, Mark Thomas wrote: On 08/09/2021 16:15, Gilles Robert wrote: My issue is that even though TRACE is disabled, we see the "malicious" header in the response. You need to talk to the Spring folks then. Default Tomcat behaviour is to return a 405 with an error message in the response. I've just doubled checked this with telnet and 9.0.x. As an aside, the idea that any TRACE response is a security issue with the server, whether it contains a "malicious" header or not is nonsense. The only thing a user agent anywhere should be doing with a TRACE response is displaying it as plain text. If a user agent does something else with the response, and especially if it does something reckless like treating it is HTML, then than is a security issue with the user agent, not the server. Super duper vuln: $ curl -X TRACE --header '' myurl | bash RCE every time, bro. :) You would have got bonus points if the first character was '#' rather than '$'. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Http TRACE method headers in response body
Mark,
On 9/8/21 11:28, Mark Thomas wrote:
On 08/09/2021 16:15, Gilles Robert wrote:
My issue is that even though TRACE is disabled, we see the "malicious"
header in the response.
You need to talk to the Spring folks then. Default Tomcat behaviour is
to return a 405 with an error message in the response. I've just doubled
checked this with telnet and 9.0.x.
As an aside, the idea that any TRACE response is a security issue with
the server, whether it contains a "malicious" header or not is nonsense.
The only thing a user agent anywhere should be doing with a TRACE
response is displaying it as plain text. If a user agent does something
else with the response, and especially if it does something reckless
like treating it is HTML, then than is a security issue with the user
agent, not the server.
Super duper vuln:
$ curl -X TRACE --header '' myurl | bash
RCE every time, bro.
-chris
On Wed, 8 Sept 2021 at 17:01, Mark Thomas wrote:
On 08/09/2021 14:14, Gilles Robert wrote:
Hi,
Using Spring boot (2.5.4) with Tomcat (9.0.52), the HTTP TRACE method
is disabled by default and returns a 405 method not allowed, which is
what I expect security-wise. My issue is that if one gives a malicious
header:
header: malicious: alert('malicious call');
it's given back in the response:
TRACE /xyz/error HTTP/1.1
malicious: alert('malicious call');
user-agent: PostmanRuntime/7.22.0
accept: */*
host: localhost:8080
accept-encoding: gzip, deflate, br
content-length: 0
connection: keep-alive
This is conform to the RFC 2616 which states:
"If the request is valid, the response SHOULD contain the entire
request message in the entity-body, with a Content-Type of
"message/http"."
Do you mean that you are seeing the TRACE response even when TRACE is
disabled?
Or is the issue that if TRACE is enabled, then you see the "malicious"
header in the response?
Mark
My penetration test team is complaining about it.
How can I remove any HTML entities from the TRACE response, without
having to enable it, cleaning the tags and returning the 405 myself?
Thanks!
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Http TRACE method headers in response body
On 08/09/2021 16:15, Gilles Robert wrote:
My issue is that even though TRACE is disabled, we see the "malicious"
header in the response.
You need to talk to the Spring folks then. Default Tomcat behaviour is
to return a 405 with an error message in the response. I've just doubled
checked this with telnet and 9.0.x.
As an aside, the idea that any TRACE response is a security issue with
the server, whether it contains a "malicious" header or not is nonsense.
The only thing a user agent anywhere should be doing with a TRACE
response is displaying it as plain text. If a user agent does something
else with the response, and especially if it does something reckless
like treating it is HTML, then than is a security issue with the user
agent, not the server.
Mark
On Wed, 8 Sept 2021 at 17:01, Mark Thomas wrote:
On 08/09/2021 14:14, Gilles Robert wrote:
Hi,
Using Spring boot (2.5.4) with Tomcat (9.0.52), the HTTP TRACE method
is disabled by default and returns a 405 method not allowed, which is
what I expect security-wise. My issue is that if one gives a malicious
header:
header: malicious: alert('malicious call');
it's given back in the response:
TRACE /xyz/error HTTP/1.1
malicious: alert('malicious call');
user-agent: PostmanRuntime/7.22.0
accept: */*
host: localhost:8080
accept-encoding: gzip, deflate, br
content-length: 0
connection: keep-alive
This is conform to the RFC 2616 which states:
"If the request is valid, the response SHOULD contain the entire
request message in the entity-body, with a Content-Type of
"message/http"."
Do you mean that you are seeing the TRACE response even when TRACE is
disabled?
Or is the issue that if TRACE is enabled, then you see the "malicious"
header in the response?
Mark
My penetration test team is complaining about it.
How can I remove any HTML entities from the TRACE response, without
having to enable it, cleaning the tags and returning the 405 myself?
Thanks!
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Http TRACE method headers in response body
My issue is that even though TRACE is disabled, we see the "malicious"
header in the response.
On Wed, 8 Sept 2021 at 17:01, Mark Thomas wrote:
>
> On 08/09/2021 14:14, Gilles Robert wrote:
> > Hi,
> >
> > Using Spring boot (2.5.4) with Tomcat (9.0.52), the HTTP TRACE method
> > is disabled by default and returns a 405 method not allowed, which is
> > what I expect security-wise. My issue is that if one gives a malicious
> > header:
> >
> > header: malicious: alert('malicious call');
> >
> > it's given back in the response:
> >
> > TRACE /xyz/error HTTP/1.1
> > malicious: alert('malicious call');
> > user-agent: PostmanRuntime/7.22.0
> > accept: */*
> > host: localhost:8080
> > accept-encoding: gzip, deflate, br
> > content-length: 0
> > connection: keep-alive
> >
> > This is conform to the RFC 2616 which states:
> >
> > "If the request is valid, the response SHOULD contain the entire
> > request message in the entity-body, with a Content-Type of
> > "message/http"."
>
> Do you mean that you are seeing the TRACE response even when TRACE is
> disabled?
>
> Or is the issue that if TRACE is enabled, then you see the "malicious"
> header in the response?
>
> Mark
>
>
> >
> > My penetration test team is complaining about it.
> >
> > How can I remove any HTML entities from the TRACE response, without
> > having to enable it, cleaning the tags and returning the 405 myself?
> >
> > Thanks!
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Http TRACE method headers in response body
On 08/09/2021 14:14, Gilles Robert wrote:
Hi,
Using Spring boot (2.5.4) with Tomcat (9.0.52), the HTTP TRACE method
is disabled by default and returns a 405 method not allowed, which is
what I expect security-wise. My issue is that if one gives a malicious
header:
header: malicious: alert('malicious call');
it's given back in the response:
TRACE /xyz/error HTTP/1.1
malicious: alert('malicious call');
user-agent: PostmanRuntime/7.22.0
accept: */*
host: localhost:8080
accept-encoding: gzip, deflate, br
content-length: 0
connection: keep-alive
This is conform to the RFC 2616 which states:
"If the request is valid, the response SHOULD contain the entire
request message in the entity-body, with a Content-Type of
"message/http"."
Do you mean that you are seeing the TRACE response even when TRACE is
disabled?
Or is the issue that if TRACE is enabled, then you see the "malicious"
header in the response?
Mark
My penetration test team is complaining about it.
How can I remove any HTML entities from the TRACE response, without
having to enable it, cleaning the tags and returning the 405 myself?
Thanks!
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
