Re: [WEB SECURITY] cross site trace

["Raymond Forbes" <rforbes@xxxxxxxxxxxxxx>]

Scanners always rate it as a high or critical.  PCI auditors consider it a 
"PCI" issue because it is tied with cross-site scripting.  I am in the 
process of making a justification about not prioritizing these as high as 
other XSS vulns and was curious what is the general consensus.

-Raymond
----- Original Message ----- 
From: "Brian Shura" <bshura@xxxxxxxxxxxxx>
To: "'Raymond Forbes'" <rforbes@xxxxxxxxxxxxxx>; <websecurity@xxxxxxxxxxxxx>
Sent: Friday, July 18, 2008 4:58 PM
Subject: RE: [WEB SECURITY] cross site trace


> Raymond,
> IE 6 is the only major browser that still supports TRACE, so I would agree
> that this is a low risk vulnerability.  What does your scanner rate it as?
>
> -Brian
>
> -----Original Message-----
> From: Raymond Forbes [mailto:rforbes@xxxxxxxxxxxxxx]
> Sent: Friday, July 18, 2008 12:44 PM
> To: websecurity@xxxxxxxxxxxxx
> Subject: [WEB SECURITY] cross site trace
>
> So, this vulnerability keeps coming up on scans and audits.  Considering
> the number of clients that even support trace has dramatically shrunk
> this would seem to me to not be a serious issue anymore.  Not that I am
> saying it isn't worth fixing but when prioritizing with other
> vulnerabilities this ends up on the low side.
>
> Am I off base here?
>
> -Raymond


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA