Re: [WEB SECURITY] Technical Note by Amit Klein: "XST Strikes Back"

["Amit Klein (AKsecurity)" <aksecurity@xxxxxxxxxx>]

On 25 Jan 2006 at 8:29, Jeremiah Grossman wrote:

> Impressive and scary, very nice find.
> 

Thanks :-)

> Couple of questions:
> 
> Does this affect proxies configured in both forward and reverse mode?

Yes, as far as I tested.

> 
> What's the best technique to determine if there is a proxy in front?
>

Well, send it a TRACE request with "Max-Forwards: 0", and see what comes out. This doesn't 
guarantee 100% success, but at the moment (with many proxies still supporting TRACE), it's 
a good (and cheap) shot. There are also telltale signs such as error messages.

> Have you done any testing to get a sense for the percentage of  
> website these days guarded by proxies?
>

Strictly speaking - I didn't. But keep in mind it's not just what's happening in the site's 
farm, it's also what's out there in the Internet. I know that many ISPs use transparent 
proxy (between their clients and the Internet) to conserve bandwidth. And this proxy server 
may support TRACE (indeed some of them do!) - which makes all the ISP clients vulnerable, 
at all sites.
 
> 
> again, nice work.
>

Thanks. Wouldn't be possible if you didn't publish your original XST paper!

Ciao, 
-Amit

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/