Hi,
Using Spring boot (2.5.4) with Tomcat (9.0.52), the HTTP TRACE method
is disabled by default and returns a 405 method not allowed, which is
what I expect security-wise. My issue is that if one gives a malicious
header:
header: malicious: <script>alert('malicious call');</script>
it's given back in the response:
TRACE /xyz/error HTTP/1.1
malicious: <script>alert('malicious call');</script>
user-agent: PostmanRuntime/7.22.0
accept: */*
host: localhost:8080
accept-encoding: gzip, deflate, br
content-length: 0
connection: keep-alive
This is conform to the RFC 2616 which states:
"If the request is valid, the response SHOULD contain the entire
request message in the entity-body, with a Content-Type of
"message/http"."
My penetration test team is complaining about it.
How can I remove any HTML entities from the TRACE response, without
having to enable it, cleaning the tags and returning the 405 myself?
Thanks!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
