RE: [WEB SECURITY] cross site trace

["Brian Shura" <bshura@xxxxxxxxxxxxx>]

Even if a significant portion of your user base is still on IE 6, I'd still
call it a low risk vulnerability, unless the scanner was actually able to
inject some Javascript code to successfully send a TRACE request.  And if
the scanner is able to do that you might as well call it Cross-Site
Scripting at that point because you just got the site to reflect back a big
chunk of Javascript.  A smart attacker wouldn't use that particular hole to
conduct a TRACE attack since only IE 6 supports that - he'd do a regular XSS
attack.

Allowing the TRACE method is one of those things that's easy for scanners to
detect, which is why most scanners will flag this issue.  AppScan rates it a
Medium, which in my opinion is still one notch too high.

Which brings up a question - if some PCI certified scanning solutions rate
this a Medium and others rate it a High, why not tell the auditors "Yes,
this Cross-Site Tracing issue shows up as High on our scanner's report, but
AppScan and Qualys rate this same issue a Medium, and they are also PCI
Approved Scanning Vendors, so we're going to count it as a Medium."  I don't
know if that argument is going to fly or not, but you could try it.  Tell
them you want to focus your efforts on fixing the real issues that put
customer information at risk rather than trying to close out every "blinky
red dot" on your scanner's report.

-Brian


-----Original Message-----
From: arian.evans@xxxxxxxxx [mailto:arian.evans@xxxxxxxxx] On Behalf Of
Arian J. Evans
Sent: Monday, July 21, 2008 1:18 PM
To: websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] cross site trace

In terms of business case it seems you would want
to evaluate this risk statistically.

e.g.-- How many IE 6 users(?), pulse/frequency of
IE 6 user access, etc.

This would give the business a better notion of
relative attack surface. If your user base is 100%
deprecated IE 6 (say in the case of an intranet
app and legacy internal users) this might be a
justifiably high risk issue. Where conversely a
Mac-oriented website might find the risk to be
much lower. (100% browser != IE)

Qualys moved this down to a "medium" several
years ago after vigorous debate with them, but
it seems most vendors keep this as "high"

Makes sense though. Much easier to find the
"TRACE" method enabled on a web server
to pad your reports with "High" vulns than
to find most of the things we actually see attackers
exploiting in the wild (on webapps). ;)

Happy Monday,

-- 
-- 
Arian J. Evans.
Software. Security. Stuff.





On Fri, Jul 18, 2008 at 5:10 PM, Raymond Forbes <rforbes@xxxxxxxxxxxxxx>
wrote:
> Scanners always rate it as a high or critical.  PCI auditors consider it a
> "PCI" issue because it is tied with cross-site scripting.  I am in the
> process of making a justification about not prioritizing these as high as
> other XSS vulns and was curious what is the general consensus.
>
> -Raymond
> ----- Original Message ----- From: "Brian Shura" <bshura@xxxxxxxxxxxxx>
> To: "'Raymond Forbes'" <rforbes@xxxxxxxxxxxxxx>;
<websecurity@xxxxxxxxxxxxx>
> Sent: Friday, July 18, 2008 4:58 PM
> Subject: RE: [WEB SECURITY] cross site trace
>
>
>> Raymond,
>> IE 6 is the only major browser that still supports TRACE, so I would
agree
>> that this is a low risk vulnerability.  What does your scanner rate it
as?
>>
>> -Brian
>>
>> -----Original Message-----
>> From: Raymond Forbes [mailto:rforbes@xxxxxxxxxxxxxx]
>> Sent: Friday, July 18, 2008 12:44 PM
>> To: websecurity@xxxxxxxxxxxxx
>> Subject: [WEB SECURITY] cross site trace
>>
>> So, this vulnerability keeps coming up on scans and audits.  Considering
>> the number of clients that even support trace has dramatically shrunk
>> this would seem to me to not be a serious issue anymore.  Not that I am
>> saying it isn't worth fixing but when prioritizing with other
>> vulnerabilities this ends up on the low side.
>>
>> Am I off base here?
>>
>> -Raymond
>>
>>
>>
>>
>>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

No virus found in this incoming message.
Checked by AVG - http://www.avg.com 
Version: 8.0.138 / Virus Database: 270.5.3/1563 - Release Date: 7/20/2008
12:59 PM


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA