HTTP不安全方法漏洞分析与防护指南<\/h1>

一、HTTP请求方法概述<\/h2>

HTTP协议定义了多种请求方法，根据版本不同有所区别：<\/p>

HTTP 1.0定义的方法<\/strong>：<\/p>

GET：请求指定的资源<\/li>
POST：向指定资源提交数据进行处理请求<\/li>
HEAD：与GET相同，但只返回头部信息<\/li> <\/ul>
HTTP 1.1新增的方法<\/strong>：<\/p>

OPTIONS：返回服务器支持的HTTP方法<\/li>
PUT：向指定位置上传最新内容<\/li>
DELETE：请求服务器删除指定资源<\/li>
TRACE：回显服务器收到的请求，用于测试或诊断<\/li>
CONNECT：HTTP\/1.1协议中预留给能够将连接改为管道方式的代理服务器<\/li> <\/ul>
二、不安全HTTP方法的风险分析<\/h2>
1. OPTIONS方法风险<\/h3>

暴露服务器信息<\/strong>：会返回服务器支持的HTTP方法、中间件版本等敏感信息<\/li>
攻击面扩大<\/strong>：为攻击者提供服务器能力信息，便于针对性攻击<\/li> <\/ul>
2. PUT方法风险<\/h3>

文件上传漏洞<\/strong>：允许客户端向服务器上传文件<\/li>
WebShell上传<\/strong>：可被用于上传恶意脚本文件（如JSP、PHP等）<\/li>
无验证机制<\/strong>：默认不包含身份验证，容易滥用<\/li> <\/ul>
3. DELETE方法风险<\/h3>

资源删除<\/strong>：允许删除服务器上的文件<\/li>
数据破坏<\/strong>：可导致网站关键文件被删除，服务中断<\/li> <\/ul>
4. TRACE方法风险<\/h3>

跨站追踪攻击(XST)<\/strong>：可能被用于窃取Cookie等敏感信息<\/li>
反射型XSS<\/strong>：在某些情况下可被利用进行跨站脚本攻击<\/li> <\/ul>
5. CONNECT方法风险<\/h3>

代理滥用<\/strong>：可能被用于建立隧道连接，绕过安全控制<\/li> <\/ul>
三、漏洞验证与利用实例<\/h2>
测试环境搭建<\/h3>

操作系统：Windows 10 64位<\/li>
Web服务器：Tomcat 7.0.72<\/li>
测试工具：curl 7.49<\/li> <\/ul>
关键配置修改<\/h3>
Tomcat默认配置中，web.xml<\/code>文件的org.apache.catalina.servlets.DefaultServlet<\/code>的readonly<\/code>参数默认为true，需改为false以演示漏洞：<\/p>
<init-param><\/span> <\/span><\/span> <param-name><\/span>readonly<\/param-name><\/span> <\/span><\/span> <param-value><\/span>false<\/param-value><\/span> <\/span><\/span><\/init-param><\/span> <\/span><\/span><\/code><\/pre>漏洞利用步骤<\/h3> PUT上传文件测试<\/strong><\/p> curl -X PUT http:\/\/127.0.0.1:8080\/examples\/test.txt -d "test content"<\/span> <\/span><\/span><\/code><\/pre><\/li> DELETE删除文件测试<\/strong><\/p> curl -X DELETE http:\/\/127.0.0.1:8080\/examples\/test.txt <\/span><\/span><\/code><\/pre><\/li> 绕过限制上传JSP文件<\/strong><\/p> 直接上传.jsp文件会被JspServlet处理而失败<\/li> 利用特殊后缀绕过检测（CVE-2017-12615）： curl -X PUT http:\/\/127.0.0.1:8080\/examples\/shell.jsp%20 -d "<% out.println("<\/span>Hello JSP"); %>"<\/span> <\/span><\/span><\/code><\/pre><\/li> 其他绕过方法： shell.jsp::$DATA<\/code><\/li> shell.jsp\/<\/code><\/li> <\/ul> <\/li> <\/ul> <\/li> OPTIONS方法信息收集<\/strong><\/p> curl -X OPTIONS http:\/\/127.0.0.1:8080\/ -v <\/span><\/span><\/code><\/pre><\/li> <\/ol> 四、防护措施<\/h2> 1. 禁用不必要的HTTP方法<\/h3> Tomcat配置方法<\/strong>：在web.xml<\/code>中添加以下配置：<\/p> <security-constraint><\/span> <\/span><\/span> <web-resource-collection><\/span> <\/span><\/span> <url-pattern><\/span>\/*<\/url-pattern><\/span> <\/span><\/span> <http-method><\/span>PUT<\/http-method><\/span> <\/span><\/span> <http-method><\/span>DELETE<\/http-method><\/span> <\/span><\/span> <http-method><\/span>OPTIONS<\/http-method><\/span> <\/span><\/span> <http-method><\/span>TRACE<\/http-method><\/span> <\/span><\/span> <http-method><\/span>CONNECT<\/http-method><\/span> <\/span><\/span> <\/web-resource-collection><\/span> <\/span><\/span> <auth-constraint><\/auth-constraint><\/span> <\/span><\/span><\/security-constraint><\/span> <\/span><\/span><\/code><\/pre>Nginx配置方法<\/strong>：<\/p> if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 405; } <\/code><\/pre> Apache配置方法<\/strong>：<\/p> <Location "\/"> <LimitExcept GET POST> Deny from all <\/LimitExcept> <\/Location> <\/code><\/pre> 2. 保持DefaultServlet的readonly为true<\/h3> 确保Tomcat配置中：<\/p> <init-param><\/span> <\/span><\/span> <param-name><\/span>readonly<\/param-name><\/span> <\/span><\/span> <param-value><\/span>true<\/param-value><\/span> <\/span><\/span><\/init-param><\/span> <\/span><\/span><\/code><\/pre>3. 定期安全扫描<\/h3> 使用工具检查服务器开放的HTTP方法：<\/p> curl -X OPTIONS http:\/\/example.com\/ -v <\/span><\/span>nmap --script http-methods.nse example.com <\/span><\/span><\/code><\/pre>4. 应用防火墙规则<\/h3> 在WAF中添加规则，拦截异常的HTTP方法请求。<\/p> 五、自查指南<\/h2> OPTIONS方法测试<\/strong><\/p> curl -X OPTIONS http:\/\/yourwebsite.com\/ -v <\/span><\/span><\/code><\/pre>检查返回的Allow<\/code>头部是否包含不必要的方法<\/p> <\/li> PUT\/DELETE方法测试<\/strong><\/p> 测试PUT上传： curl -X PUT http:\/\/yourwebsite.com\/testfile -d "test"<\/span> <\/span><\/span><\/code><\/pre><\/li> 测试DELETE删除： curl -X DELETE http:\/\/yourwebsite.com\/existingfile <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 全面方法测试<\/strong> 对每个目录测试所有HTTP方法，确认是否被禁用<\/p> <\/li> <\/ol> 六、总结建议<\/h2> 最小化原则<\/strong>：只开放业务必需的HTTP方法（通常只需GET和POST）<\/li> 默认安全<\/strong>：新部署环境应默认禁用非常用方法<\/li> 持续监控<\/strong>：定期检查服务器配置和开放的方法<\/li> 分层防御<\/strong>：在网络层、主机层和应用层同时实施防护<\/li> 及时更新<\/strong>：保持中间件版本最新，修复已知漏洞<\/li> <\/ol> 通过以上措施，可有效降低因不安全HTTP方法导致的安全风险，保护Web服务器免受攻击。<\/p>