[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] cross site trace

From: "James Landis" <jcl24@xxxxxxxxxxx>
Subject: Re: [WEB SECURITY] cross site trace
Date: Sat, 19 Jul 2008 05:59:01 -0700

While you're at it, white-list only the verbs you need.</edit>

On Sat, Jul 19, 2008 at 12:59 AM, Ory Segal <SEGALORY@xxxxxxxxxx> wrote:
>
> white-list only GET and POST?
>
> And what about RESTful services...? (PUT/DELETE)
>
> -Ory
>
>
> From:
> "James Landis" <jcl24@xxxxxxxxxxx>
> To:
> "Jeremiah Grossman" <jeremiah@xxxxxxxxxxxxxxx>
> Cc: "Raymond Forbes" <rforbes@xxxxxxxxxxxxxx>, websecurity@xxxxxxxxxxxxx
> Date: 18/07/2008 23:52
> Subject: Re: [WEB SECURITY] cross site trace
> ________________________________
>
>
> This is one of those issues that it takes more time to debate than to
> fix. One rule in your .conf or URLScan config and no more TRACE. While
> you're at it, white-list only GET and POST and take care of a host of
> other problems at the same time.
>
> On Fri, Jul 18, 2008 at 11:42 AM, Jeremiah Grossman
> <jeremiah@xxxxxxxxxxxxxxx> wrote:
>> Hi Raymond,
>>
>>        Every year XST becomes less of a risk because as you noticed
>> most/all
>> recent major Web browser version do not allow TRACE/TRACK requests via
>> JavaScript. However, roughly 1/4 of the Web uses IE 6 SP2, which has the
>> following issue where you can bypass the restriction:
>>
>> XST Strikes Back - Amit Klein, January 2006
>> http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00051.html
>>
>> Essentially XST's usefulness comes down to bypassing the httpOnly flag and
>> maybe grabbing a few other headers in the process. Additional reading
>> material:
>>
>> http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00025.html
>>
>> http://jeremiahgrossman.blogspot.com/2007/04/xst-lives-bypassing-httponly.html
>>
>> As for prioritization, my view is if you have other garden variety XSS
>> issues, fix those first. XST has about the same severity as most other
>> reflective XSS vulns, but with the lower threat (less likely to be
>> exploited). Hope this helps.
>>
>>
>> Regards,
>>
>> Jeremiah-
>>
>>
>> On Jul 18, 2008, at 10:44 AM, Raymond Forbes wrote:
>>
>>> So, this vulnerability keeps coming up on scans and audits.  Considering
>>> the number of clients that even support trace has dramatically shrunk
>>> this
>>> would seem to me to not be a serious issue anymore.  Not that I am saying
>>> it
>>> isn't worth fixing but when prioritizing with other vulnerabilities this
>>> ends up on the low side.
>>> Am I off base here?
>>>
>>> -Raymond
>>>
>>>
>>>
>>> ----------------------------------------------------------------------------
>>> Join us on IRC: irc.freenode.net #webappsec
>>>
>>> Have a question? Search The Web Security Mailing List Archives:
>>> http://www.webappsec.org/lists/websecurity/archive/
>>>
>>> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS
>>> Feed]
>>>
>>> Join WASC on LinkedIn
>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>
>>>
>>
>>
>>
>> ----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List
>> Archives:http://www.webappsec.org/lists/websecurity/archive/
>>
>> Subscribe via RSS:http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] cross site trace
  - From: Raymond Forbes
- Re: [WEB SECURITY] cross site trace
  - From: Jeremiah Grossman
- Re: [WEB SECURITY] cross site trace
  - From: James Landis
- Re: [WEB SECURITY] cross site trace
  - From: Ory Segal

Prev by Date: [WEB SECURITY] Abusing HTML 5 Structured Client-side Storage
Next by Date: Re: [WEB SECURITY] cross site trace
Previous by thread: Re: [WEB SECURITY] cross site trace
Next by thread: RE: [WEB SECURITY] cross site trace
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site