[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] cross site trace

From: "Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] cross site trace
Date: Mon, 21 Jul 2008 11:18:01 -0700

In terms of business case it seems you would want
to evaluate this risk statistically.

e.g.-- How many IE 6 users(?), pulse/frequency of
IE 6 user access, etc.

This would give the business a better notion of
relative attack surface. If your user base is 100%
deprecated IE 6 (say in the case of an intranet
app and legacy internal users) this might be a
justifiably high risk issue. Where conversely a
Mac-oriented website might find the risk to be
much lower. (100% browser != IE)

Qualys moved this down to a "medium" several
years ago after vigorous debate with them, but
it seems most vendors keep this as "high"

Makes sense though. Much easier to find the
"TRACE" method enabled on a web server
to pad your reports with "High" vulns than
to find most of the things we actually see attackers
exploiting in the wild (on webapps). ;)

Happy Monday,

-- 
-- 
Arian J. Evans.
Software. Security. Stuff.

On Fri, Jul 18, 2008 at 5:10 PM, Raymond Forbes <rforbes@xxxxxxxxxxxxxx> wrote:
> Scanners always rate it as a high or critical.  PCI auditors consider it a
> "PCI" issue because it is tied with cross-site scripting.  I am in the
> process of making a justification about not prioritizing these as high as
> other XSS vulns and was curious what is the general consensus.
>
> -Raymond
> ----- Original Message ----- From: "Brian Shura" <bshura@xxxxxxxxxxxxx>
> To: "'Raymond Forbes'" <rforbes@xxxxxxxxxxxxxx>; <websecurity@xxxxxxxxxxxxx>
> Sent: Friday, July 18, 2008 4:58 PM
> Subject: RE: [WEB SECURITY] cross site trace
>
>
>> Raymond,
>> IE 6 is the only major browser that still supports TRACE, so I would agree
>> that this is a low risk vulnerability.  What does your scanner rate it as?
>>
>> -Brian
>>
>> -----Original Message-----
>> From: Raymond Forbes [mailto:rforbes@xxxxxxxxxxxxxx]
>> Sent: Friday, July 18, 2008 12:44 PM
>> To: websecurity@xxxxxxxxxxxxx
>> Subject: [WEB SECURITY] cross site trace
>>
>> So, this vulnerability keeps coming up on scans and audits.  Considering
>> the number of clients that even support trace has dramatically shrunk
>> this would seem to me to not be a serious issue anymore.  Not that I am
>> saying it isn't worth fixing but when prioritizing with other
>> vulnerabilities this ends up on the low side.
>>
>> Am I off base here?
>>
>> -Raymond
>>
>>
>>
>>
>>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- RE: [WEB SECURITY] cross site trace
  - From: Brian Shura
- Re: [WEB SECURITY] cross site trace
  - From: James Landis

References:
- [WEB SECURITY] cross site trace
  - From: Raymond Forbes
- RE: [WEB SECURITY] cross site trace
  - From: Brian Shura
- Re: [WEB SECURITY] cross site trace
  - From: Raymond Forbes

Prev by Date: RE: [WEB SECURITY] cross site trace
Next by Date: RE: [WEB SECURITY] cross site trace
Previous by thread: RE: [WEB SECURITY] cross site trace
Next by thread: RE: [WEB SECURITY] cross site trace
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site