Block TRACE HTTP Verb by default

Description

Undertow responds to TRACE verbs by default for static files which can be exploited. Configure undertow to not respond to TRACE.

Here's info on the exploit https://www.owasp.org/index.php/Cross_Site_Tracing

Here's a sample rewrite rule snippet used to block TRACE in the meantime:

1 2 3 4 5 6 <rule> <note>Deny TRACE/TRACK HTTP Verb</note> <condition type="method" casesensitive="false" operator="equal">TRACE|TRACK</condition> <set type="status">403</set> <to>null</to> </rule>

Status

Assignee

Unassigned

Reporter

Brad Wood

Labels

None

Components

Priority

Major