RE: http TRACE option

From: Maxime Ducharme (mducharme@cybergeneration.com)
Date: Fri Jan 18 2008 - 14:20:35 EST


Hi

TRACE allows to do XSS even if sessions ids
have been "protected" by setting the new option
"httponly" cookie

httponly was developed by Microsoft to prevent
javascript to read the cookie value, it has been implemented
in IE 6 SP1

they do this to try to limit XSS attack surface,
see http://msdn2.microsoft.com/en-us/library/ms533046.aspx

By sending a TRACE HTTP request to Apache and reading back the content
with a xmlhttp object (by example), you will be able to see
the cookie value with client-side scripts, then do XSS to upload the
session id on your server

TRACE + XSS is also called XST, see
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

see also http://osvdb.org/877

HTH

Maxime

 

-----Message d'origine-----
De : listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] De
la part de pentestr
Envoyé : 17 janvier 2008 15:41
À : Pentest Mailinglist
Objet : http TRACE option

Hi,
what is the issue if TRACE option is enabled in web servers ? Nessus
results always display it as warning.
any idea...

Thanks in advance.
Rgds.
P.T.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:20 EDT