From: Trancer (mtrancer@gmail.com)
Date: Sat Jan 19 2008 - 19:39:47 EST
From rfc2616:
"The TRACE method is used to invoke a remote, application-layer loop-
back of the request message. The final recipient of the request SHOULD
reflect the message received back to the client as the entity-body of a
200 (OK) response. The final recipient is either the origin server or
the first proxy or gateway to receive a Max-Forwards value of zero (0)
in the request (see section 14.31). A TRACE request MUST NOT include an
entity."
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
The HTTP TRACE method can risk a web application using HttpOnly cookies
to protect against cross-site scripting cookie-theft attacks. Exploiting
the TRACE method allows an attacker to steal cookies despite the
HttpOnly option.
Jeremiah Grossman posted a paper about this kind of attack (cross-site
tracing):
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
pentestr wrote:
> Hi,
> what is the issue if TRACE option is enabled in web servers ? Nessus
> results always display it as warning.
> any idea...
>
> Thanks in advance.
> Rgds.
> P.T.
>
-- Trancer 0nly Human. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:20 EDT