1. Server Sweep surface
HTTP TRACE Method Enabled
Description
The Apache server has trace Method enabled.
1.trace_method is a protocol debug method defined by the HTTP (Hypertext Transfer) protocol that causes the server to return whatever content is requested by any client as it is.
2. Since this method returns arbitrary data submitted by the client as it is, it can be used for cross-site scripting, called XSS attacks, which is also known as cross-site trace attack short xst.
Harm:
1. Malicious attackers can use the information returned by trace method to learn some information about the front end of the Web site, such as a cache server, which facilitates the next attack.
2. Malicious attackers can use trace method for XSS attacks
3. Even if the Web site has HttpOnly header tags and prohibit scripts from reading cookie information on critical pages, a malicious attacker with trace method can still bypass this restriction to read cookie information.
Solution:
Add at the end of the httpd.conf:
Traceenable off
Missing HttpOnly Flag from Cookie
Description
Use JS to read the cookie information stored in the browser Document object to obtain identity information for attack
Solution:
The header for the browser setting cookie is as follows:
Set-cookie: =[; =]
[; expires=] [; domain=]
[; Path=] [; secure] [; HttpOnly]
Click Jacking
Description
Clickjacking (click Hijacking) was pioneered by Internet security experts Robert Hansen and Jelimi Glaussmann in 2008.
is a visual deception, on the web side is an iframe nested a transparent invisible page, let the user unknowingly, click on the attacker want to deceive users click location.
Solution:
X-frame-options HTTP response headers, which can indicate whether the browser should load a page in an IFRAME. Websites can prevent click Hijacking by setting X-frame-options to block pages in the site from being embedded in other pages.
X-frame-options
X-frame-options A total of three values:
DENY: Any page cannot be embedded in an IFRAME or frame.
Sameorigin: The page can only be embedded in the IFRAME or frame by the site page.
Allow-from URI: The page can be embedded in the IFRAME or frame with the specified URI.
Apache Configuration X-frame-options
Add the following configuration to the site profile httpd.conf, restricting only pages within the site to be embedded in the IFRAME.
Header always append x-frame-options sameorigin
After configuration, restart Apache to make it effective. This configuration is also true for IBM HTTP server.
If you have multiple sites on the same Apache server that you want to configure for only one site, you can modify the. htaccess file to add the following:
Header Append x-frame-options "Sameorigin"
Apache httpd:error responses can expose cookies (cve-2012-0053)
Description
Apache Server 2.2.0-2.2.21 Version There is a Vulnerability (cve-2012-0053), the attacker can be placed on the Web site large cookie, so that the HTTP header exceeds the Apache Limitrequestfieldsize (maximum request length) 8192 bytes, APA Che will return a 400 error, and the status page contains http-only-protected cookies.
Solution:
Apache2.2.22 and above have fixed this issue, the upgrade can be resolved.
Apache2.2.15 Vulnerability Resolution