问题描述
应用部署到azure应用服务(linux + .net core 3.1(kestrel)) 我尝试使用 owasp zap 分析安全问题:
docker run -v [PATH_TO_REPORTS]:/zap/wrk/:rw owasp/zap2docker-stable zap-full-scan.py -t https://[URL] -I -a -j -m 5 -J report.json -r report.html
它返回警报:
*Description:*
2 proxy server(s) were detected or fingerprinted. This @R_634_4045@ion helps a potential attacker to deter@R_404_5886@
- A list of targets for an attack against the application.
- Potential vulnerabilities on the proxy servers that service the application.
- The presence or absence of any proxy-based components that might cause attacks against the application to be detected,prevented,or mitigated.
*URL:*
https://[URL]
https://[URL]/sitemap.xml
https://[URL]/ robots.txt
*Method:*
GET
*Attack:*
TRACE,OPTIONS methods with 'Max-Forwards' header. TRACK method.
*Other @R_634_4045@ion*
Using the TRACE,OPTIONS,and TRACK methods,the following proxy servers have been identified between Owasp ZAP and the application/web server:
- UnkNown
- Microsoft-IIS/10.0
The following web/application server has been identified:
- Nginx
但是在应用程序级别禁用了跟踪请求和服务器标头(即使在 docker 中也无法在本地重现)
问题仅在 azure 中重现(postman http 'TRACE' [URL] with 'Max-Forwards' = 0 or 1)
如何在 azure 端禁用 TRACE 请求?
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)