Re: Http TRACE method headers in response body

Wed, 08 Sep 2021 08:15:42 -0700 

My issue is that even though TRACE is disabled, we see the "malicious"
header in the response.

On Wed, 8 Sept 2021 at 17:01, Mark Thomas <ma...@apache.org> wrote:
>
> On 08/09/2021 14:14, Gilles Robert wrote:
> > Hi,
> >
> > Using Spring boot (2.5.4) with Tomcat (9.0.52), the HTTP TRACE method
> > is disabled by default and returns a 405 method not allowed, which is
> > what I expect security-wise. My issue is that if one gives a malicious
> > header:
> >
> > header: malicious: <script>alert('malicious call');</script>
> >
> > it's given back in the response:
> >
> > TRACE /xyz/error HTTP/1.1
> > malicious: <script>alert('malicious call');</script>
> > user-agent: PostmanRuntime/7.22.0
> > accept: */*
> > host: localhost:8080
> > accept-encoding: gzip, deflate, br
> > content-length: 0
> > connection: keep-alive
> >
> > This is conform to the RFC 2616 which states:
> >
> > "If the request is valid, the response SHOULD contain the entire
> > request message in the entity-body, with a Content-Type of
> > "message/http"."
>
> Do you mean that you are seeing the TRACE response even when TRACE is
> disabled?
>
> Or is the issue that if TRACE is enabled, then you see the "malicious"
> header in the response?
>
> Mark
>
>
> >
> > My penetration test team is complaining about it.
> >
> > How can I remove any HTML entities from the TRACE response, without
> > having to enable it, cleaning the tags and returning the 405 myself?
> >
> > Thanks!
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to