From: Tim (tim-pentest@sentinelchicken.org)
Date: Fri Jan 18 2008 - 13:40:53 EST
> what is the issue if TRACE option is enabled in web servers ? Nessus
> results always display it as warning.
> any idea...
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
It was an over-hyped little attack, but it is not insignificant. It the
website also has a cross-site scripting vulnerability, XST can be used
to steal HTTP headers that wouldn't otherwise be available to JavaScript
et. al. For instance, basic auth headers and HttpOnly cookies. Without
an XSS hole to go along with it, it really isn't important AFAIK.
tim
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:20 EDT