[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] cross site trace

From: Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] cross site trace
Date: Fri, 18 Jul 2008 11:42:54 -0700

Hi Raymond,

Every year XST becomes less of a risk because as you noticed most/ all recent major Web browser version do not allow TRACE/TRACK requests via JavaScript. However, roughly 1/4 of the Web uses IE 6 SP2, which has the following issue where you can bypass the restriction:

XST Strikes Back - Amit Klein, January 2006
http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00051.html

Essentially XST's usefulness comes down to bypassing the httpOnly flag and maybe grabbing a few other headers in the process. Additional reading material:

http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00025.html http://jeremiahgrossman.blogspot.com/2007/04/xst-lives-bypassing- httponly.html

As for prioritization, my view is if you have other garden variety XSS issues, fix those first. XST has about the same severity as most other reflective XSS vulns, but with the lower threat (less likely to be exploited). Hope this helps.


Regards,

Jeremiah-


On Jul 18, 2008, at 10:44 AM, Raymond Forbes wrote:

So, this vulnerability keeps coming up on scans and audits. Considering the number of clients that even support trace has dramatically shrunk this would seem to me to not be a serious issue anymore. Not that I am saying it isn't worth fixing but when prioritizing with other vulnerabilities this ends up on the low side. Am I off base here?
-Raymond
---------------------------------------------------------------------- ------ Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] cross site trace
  - From: James Landis

References:
- [WEB SECURITY] cross site trace
  - From: Raymond Forbes

Prev by Date: [WEB SECURITY] Web Application Security Professionals Survey (July 2008)
Next by Date: Re: [WEB SECURITY] cross site trace
Previous by thread: [WEB SECURITY] cross site trace
Next by thread: Re: [WEB SECURITY] cross site trace
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site