[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] cross site trace
- From: Ory Segal <SEGALORY@xxxxxxxxxx>
- Subject: Re: [WEB SECURITY] cross site trace
- Date: Sat, 19 Jul 2008 10:59:14 +0300
--=_alternative 002BEB5FC225748B_=
Content-Type: text/plain; charset="US-ASCII"
white-list only GET and POST?
And what about RESTful services...? (PUT/DELETE)
-Ory
From:
"James Landis" <jcl24@cornell.edu>
To:
"Jeremiah Grossman" <jeremiah@whitehatsec.com>
Cc:
"Raymond Forbes" <rforbes@e-stalkers.net>, websecurity@webappsec.org
Date:
18/07/2008 23:52
Subject:
Re: [WEB SECURITY] cross site trace
This is one of those issues that it takes more time to debate than to
fix. One rule in your .conf or URLScan config and no more TRACE. While
you're at it, white-list only GET and POST and take care of a host of
other problems at the same time.
On Fri, Jul 18, 2008 at 11:42 AM, Jeremiah Grossman
<jeremiah@whitehatsec.com> wrote:
> Hi Raymond,
>
> Every year XST becomes less of a risk because as you noticed
most/all
> recent major Web browser version do not allow TRACE/TRACK requests via
> JavaScript. However, roughly 1/4 of the Web uses IE 6 SP2, which has the
> following issue where you can bypass the restriction:
>
> XST Strikes Back - Amit Klein, January 2006
> http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00051.html
>
> Essentially XST's usefulness comes down to bypassing the httpOnly flag
and
> maybe grabbing a few other headers in the process. Additional reading
> material:
>
> http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00025.html
>
http://jeremiahgrossman.blogspot.com/2007/04/xst-lives-bypassing-httponly.html
>
> As for prioritization, my view is if you have other garden variety XSS
> issues, fix those first. XST has about the same severity as most other
> reflective XSS vulns, but with the lower threat (less likely to be
> exploited). Hope this helps.
>
>
> Regards,
>
> Jeremiah-
>
>
> On Jul 18, 2008, at 10:44 AM, Raymond Forbes wrote:
>
>> So, this vulnerability keeps coming up on scans and audits. Considering
>> the number of clients that even support trace has dramatically shrunk
this
>> would seem to me to not be a serious issue anymore. Not that I am
saying it
>> isn't worth fixing but when prioritizing with other vulnerabilities
this
>> ends up on the low side.
>> Am I off base here?
>>
>> -Raymond
>>
>>
>>
----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS
Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
>
>
>
----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List
> Archives:http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:http://www.webappsec.org/rss/websecurity.rss [RSS
Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
--=_alternative 002BEB5FC225748B_=
Content-Type: text/html; charset="US-ASCII"
<br><font size=2 face="sans-serif">white-list only GET and POST? </font>
<br>
<br><font size=2 face="sans-serif">And what about RESTful services...?
(PUT/DELETE)</font>
<br>
<br><font size=2 face="sans-serif">-Ory</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">From:</font>
<td><font size=1 face="sans-serif">"James Landis" <jcl24@cornell.edu></font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">To:</font>
<td><font size=1 face="sans-serif">"Jeremiah Grossman" <jeremiah@whitehatsec.com></font>
<tr>
<td valign=top><font size=1 color=#5f5f5f face="sans-serif">Cc:</font>
<td><font size=1 face="sans-serif">"Raymond Forbes" <rforbes@e-stalkers.net>,
websecurity@webappsec.org</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Date:</font>
<td><font size=1 face="sans-serif">18/07/2008 23:52</font>
<tr valign=top>
<td><font size=1 color=#5f5f5f face="sans-serif">Subject:</font>
<td><font size=1 face="sans-serif">Re: [WEB SECURITY] cross site trace</font></table>
<br>
<hr noshade>
<br>
<br>
<br><tt><font size=2>This is one of those issues that it takes more time
to debate than to<br>
fix. One rule in your .conf or URLScan config and no more TRACE. While<br>
you're at it, white-list only GET and POST and take care of a host of<br>
other problems at the same time.<br>
<br>
On Fri, Jul 18, 2008 at 11:42 AM, Jeremiah Grossman<br>
<jeremiah@whitehatsec.com> wrote:<br>
> Hi Raymond,<br>
><br>
> Every year XST becomes less of a risk because
as you noticed most/all<br>
> recent major Web browser version do not allow TRACE/TRACK requests
via<br>
> JavaScript. However, roughly 1/4 of the Web uses IE 6 SP2, which has
the<br>
> following issue where you can bypass the restriction:<br>
><br>
> XST Strikes Back - Amit Klein, January 2006<br>
> </font></tt><a href="http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00051.html";><tt><font size=2>http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00051.html</font></tt></a><tt><font size=2><br>
><br>
> Essentially XST's usefulness comes down to bypassing the httpOnly
flag and<br>
> maybe grabbing a few other headers in the process. Additional reading<br>
> material:<br>
><br>
> </font></tt><a href="http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00025.html";><tt><font size=2>http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00025.html</font></tt></a><tt><font size=2><br>
> </font></tt><a href="http://jeremiahgrossman.blogspot.com/2007/04/xst-lives-bypassing-httponly.html";><tt><font size=2>http://jeremiahgrossman.blogspot.com/2007/04/xst-lives-bypassing-httponly.html</font></tt></a><tt><font size=2><br>
><br>
> As for prioritization, my view is if you have other garden variety
XSS<br>
> issues, fix those first. XST has about the same severity as most other<br>
> reflective XSS vulns, but with the lower threat (less likely to be<br>
> exploited). Hope this helps.<br>
><br>
><br>
> Regards,<br>
><br>
> Jeremiah-<br>
><br>
><br>
> On Jul 18, 2008, at 10:44 AM, Raymond Forbes wrote:<br>
><br>
>> So, this vulnerability keeps coming up on scans and audits. Considering<br>
>> the number of clients that even support trace has dramatically
shrunk this<br>
>> would seem to me to not be a serious issue anymore. Not
that I am saying it<br>
>> isn't worth fixing but when prioritizing with other vulnerabilities
this<br>
>> ends up on the low side.<br>
>> Am I off base here?<br>
>><br>
>> -Raymond<br>
>><br>
>><br>
>> ----------------------------------------------------------------------------<br>
>> Join us on IRC: irc.freenode.net #webappsec<br>
>><br>
>> Have a question? Search The Web Security Mailing List Archives:<br>
>> </font></tt><a href=http://www.webappsec.org/lists/websecurity/archive/><tt><font size=2>http://www.webappsec.org/lists/websecurity/archive/</font></tt></a><tt><font size=2><br>
>><br>
>> Subscribe via RSS: </font></tt><a href=http://www.webappsec.org/rss/websecurity.rss><tt><font size=2>http://www.webappsec.org/rss/websecurity.rss</font></tt></a><tt><font size=2>
[RSS Feed]<br>
>><br>
>> Join WASC on LinkedIn<br>
>> </font></tt><a href=http://www.linkedin.com/e/gis/83336/4B20E4374DBA><tt><font size=2>http://www.linkedin.com/e/gis/83336/4B20E4374DBA</font></tt></a><tt><font size=2><br>
>><br>
>><br>
><br>
><br>
> ----------------------------------------------------------------------------<br>
> Join us on IRC: irc.freenode.net #webappsec<br>
><br>
> Have a question? Search The Web Security Mailing List<br>
> Archives:</font></tt><a href=http://www.webappsec.org/lists/websecurity/archive/><tt><font size=2>http://www.webappsec.org/lists/websecurity/archive/</font></tt></a><tt><font size=2><br>
><br>
> Subscribe via RSS:</font></tt><a href=http://www.webappsec.org/rss/websecurity.rss><tt><font size=2>http://www.webappsec.org/rss/websecurity.rss</font></tt></a><tt><font size=2>
[RSS Feed]<br>
><br>
> Join WASC on LinkedIn<br>
> </font></tt><a href=http://www.linkedin.com/e/gis/83336/4B20E4374DBA><tt><font size=2>http://www.linkedin.com/e/gis/83336/4B20E4374DBA</font></tt></a><tt><font size=2><br>
><br>
><br>
<br>
----------------------------------------------------------------------------<br>
Join us on IRC: irc.freenode.net #webappsec<br>
<br>
Have a question? Search The Web Security Mailing List Archives: <br>
</font></tt><a href=http://www.webappsec.org/lists/websecurity/archive/><tt><font size=2>http://www.webappsec.org/lists/websecurity/archive/</font></tt></a><tt><font size=2><br>
<br>
Subscribe via RSS: <br>
</font></tt><a href=http://www.webappsec.org/rss/websecurity.rss><tt><font size=2>http://www.webappsec.org/rss/websecurity.rss</font></tt></a><tt><font size=2>
[RSS Feed]<br>
<br>
Join WASC on LinkedIn<br>
</font></tt><a href=http://www.linkedin.com/e/gis/83336/4B20E4374DBA><tt><font size=2>http://www.linkedin.com/e/gis/83336/4B20E4374DBA</font></tt></a><tt><font size=2><br>
<br>
</font></tt>
<br>
--=_alternative 002BEB5FC225748B_=--
Brought to you by http://www.webappsec.org
Search this site
|