弱點報告:http TRACE XSS attack

摘要:防止主機遭受DDOS攻擊

最近看到弱點測報,發現主機有一個嚴重弱點:http TRACE XSS attack

弱點描述如下:

Synopsis :
Debugging functions are enabled on the remote HTTP server.
Description :
The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when
used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give
him their credentials.

根據報告提供的solution,必須去關閉apache的Trace功能

詳細資料我google到了一篇文章,裡面有講到此弱點有可能造成DDOS攻擊,並提出改進方法。

http://pc-freak.net/blog/disable-apache-http-trace-method-to-improve-apache-security/