From: Alexander Bondarenko (al.bondarenko@gmail.com)
Date: Fri Jan 18 2008 - 15:51:58 EST
Hi !
If i understand it right cookies are sometimes protected with httpOnly
attribute from access with javascript on the web page (see below)
HttpOnly - If this attribute is set, then the cookie cannot be directly
accessed via client-side JavaScript, although not all browsers support
this restriction.
So in order to get cookies you need to use the TRACE method because it send
all your info back and only using this request can you get cookies with
javascript (in XSS attack for example).
P.S. Sorry for my English, it's not my native language.
On Thursday 17 January 2008 23:40, pentestr wrote:
> Hi,
> what is the issue if TRACE option is enabled in web servers ? Nessus
> results always display it as warning.
> any idea...
>
> Thanks in advance.
> Rgds.
> P.T.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:20 EDT