Re: [WEB SECURITY] cross site trace

[Raymond Forbes <rforbes@xxxxxxxxxxxxxx>]

The problem comes down to URLScan for me. I am really not a fan of of  
especially on super high traffic servers.

Sent from my iPhone

On Jul 18, 2008, at 12:59 PM, "James Landis" <jcl24@xxxxxxxxxxx> wrote:

> This is one of those issues that it takes more time to debate than to
> fix. One rule in your .conf or URLScan config and no more TRACE. While
> you're at it, white-list only GET and POST and take care of a host of
> other problems at the same time.
>
> On Fri, Jul 18, 2008 at 11:42 AM, Jeremiah Grossman
> <jeremiah@xxxxxxxxxxxxxxx> wrote:
> > Hi Raymond,
> >
> >       Every year XST becomes less of a risk because as you noticed  
> > most/all
> > recent major Web browser version do not allow TRACE/TRACK requests  
> > via
> > JavaScript. However, roughly 1/4 of the Web uses IE 6 SP2, which  
> > has the
> > following issue where you can bypass the restriction:
> >
> > XST Strikes Back - Amit Klein, January 2006
> > http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00051.html
> >
> > Essentially XST's usefulness comes down to bypassing the httpOnly  
> > flag and
> > maybe grabbing a few other headers in the process. Additional reading
> > material:
> >
> > http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00025.html
> > http://jeremiahgrossman.blogspot.com/2007/04/xst-lives-bypassing-httponly.html
> >
> > As for prioritization, my view is if you have other garden variety  
> > XSS
> > issues, fix those first. XST has about the same severity as most  
> > other
> > reflective XSS vulns, but with the lower threat (less likely to be
> > exploited). Hope this helps.
> >
> >
> > Regards,
> >
> > Jeremiah-
> >
> >
> > On Jul 18, 2008, at 10:44 AM, Raymond Forbes wrote:
> >
> > > So, this vulnerability keeps coming up on scans and audits.   
> > > Considering
> > > the number of clients that even support trace has dramatically  
> > > shrunk this
> > > would seem to me to not be a serious issue anymore.  Not that I am  
> > > saying it
> > > isn't worth fixing but when prioritizing with other  
> > > vulnerabilities this
> > > ends up on the low side.
> > > Am I off base here?
> > >
> > > -Raymond
> > >
> > >
> > > --- 
> > > --- 
> > > --- 
> > > -------------------------------------------------------------------
> > > Join us on IRC: irc.freenode.net #webappsec
> > >
> > > Have a question? Search The Web Security Mailing List Archives:
> > > http://www.webappsec.org/lists/websecurity/archive/
> > >
> > > Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss  
> > > [RSS Feed]
> > >
> > > Join WASC on LinkedIn
> > > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> >
> > --- 
> > --- 
> > --- 
> > -------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List
> > Archives:http://www.webappsec.org/lists/websecurity/archive/
> >
> > Subscribe via RSS:http://www.webappsec.org/rss/websecurity.rss [RSS  
> > Feed]
> >
> > Join WASC on LinkedIn
> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA