Re: Http TRACE method headers in response body

[Mark Thomas]

On 08/09/2021 16:15, Gilles Robert wrote:
My issue is that even though TRACE is disabled, we see the "malicious"
header in the response.

You need to talk to the Spring folks then. Default Tomcat behaviour is 
to return a 405 with an error message in the response. I've just doubled 
checked this with telnet and 9.0.x.

<rant>
As an aside, the idea that any TRACE response is a security issue with 
the server, whether it contains a "malicious" header or not is nonsense. 
The only thing a user agent anywhere should be doing with a TRACE 
response is displaying it as plain text. If a user agent does something 
else with the response, and especially if it does something reckless 
like treating it is HTML, then than is a security issue with the user 
agent, not the server.
</rant>

Mark



On Wed, 8 Sept 2021 at 17:01, Mark Thomas <ma...@apache.org> wrote:

On 08/09/2021 14:14, Gilles Robert wrote:
Hi,

Using Spring boot (2.5.4) with Tomcat (9.0.52), the HTTP TRACE method
is disabled by default and returns a 405 method not allowed, which is
what I expect security-wise. My issue is that if one gives a malicious
header:

header: malicious: <script>alert('malicious call');</script>

it's given back in the response:

TRACE /xyz/error HTTP/1.1
malicious: <script>alert('malicious call');</script>
user-agent: PostmanRuntime/7.22.0
accept: */*
host: localhost:8080
accept-encoding: gzip, deflate, br
content-length: 0
connection: keep-alive

This is conform to the RFC 2616 which states:

"If the request is valid, the response SHOULD contain the entire
request message in the entity-body, with a Content-Type of
"message/http"."

Do you mean that you are seeing the TRACE response even when TRACE is
disabled?

Or is the issue that if TRACE is enabled, then you see the "malicious"
header in the response?

Mark



My penetration test team is complaining about it.

How can I remove any HTML entities from the TRACE response, without
having to enable it, cleaning the tags and returning the 405 myself?

Thanks!

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org