[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] cross site trace

From: "James Landis" <jcl24@xxxxxxxxxxx>
Subject: Re: [WEB SECURITY] cross site trace
Date: Fri, 18 Jul 2008 12:59:17 -0700

This is one of those issues that it takes more time to debate than to
fix. One rule in your .conf or URLScan config and no more TRACE. While
you're at it, white-list only GET and POST and take care of a host of
other problems at the same time.

On Fri, Jul 18, 2008 at 11:42 AM, Jeremiah Grossman
<jeremiah@xxxxxxxxxxxxxxx> wrote:
> Hi Raymond,
>
>        Every year XST becomes less of a risk because as you noticed most/all
> recent major Web browser version do not allow TRACE/TRACK requests via
> JavaScript. However, roughly 1/4 of the Web uses IE 6 SP2, which has the
> following issue where you can bypass the restriction:
>
> XST Strikes Back - Amit Klein, January 2006
> http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00051.html
>
> Essentially XST's usefulness comes down to bypassing the httpOnly flag and
> maybe grabbing a few other headers in the process. Additional reading
> material:
>
> http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00025.html
> http://jeremiahgrossman.blogspot.com/2007/04/xst-lives-bypassing-httponly.html
>
> As for prioritization, my view is if you have other garden variety XSS
> issues, fix those first. XST has about the same severity as most other
> reflective XSS vulns, but with the lower threat (less likely to be
> exploited). Hope this helps.
>
>
> Regards,
>
> Jeremiah-
>
>
> On Jul 18, 2008, at 10:44 AM, Raymond Forbes wrote:
>
>> So, this vulnerability keeps coming up on scans and audits.  Considering
>> the number of clients that even support trace has dramatically shrunk this
>> would seem to me to not be a serious issue anymore.  Not that I am saying it
>> isn't worth fixing but when prioritizing with other vulnerabilities this
>> ends up on the low side.
>> Am I off base here?
>>
>> -Raymond
>>
>>
>> ----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List
> Archives:http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] cross site trace
  - From: Raymond Forbes
- Re: [WEB SECURITY] cross site trace
  - From: Ory Segal

References:
- [WEB SECURITY] cross site trace
  - From: Raymond Forbes
- Re: [WEB SECURITY] cross site trace
  - From: Jeremiah Grossman

Prev by Date: Re: [WEB SECURITY] cross site trace
Next by Date: Re: [WEB SECURITY] cross site trace
Previous by thread: Re: [WEB SECURITY] cross site trace
Next by thread: Re: [WEB SECURITY] cross site trace
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site