Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: http TRACE option
From: Tim <tim-pentest () sentinelchicken org>
Date: Fri, 18 Jan 2008 13:40:53 -0500

what is the issue if TRACE option is enabled in web servers ? Nessus  
results always display it as warning.
any idea...

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

It was an over-hyped little attack, but it is not insignificant.  It the
website also has a cross-site scripting vulnerability, XST can be used
to steal HTTP headers that wouldn't otherwise be available to JavaScript
et. al.  For instance, basic auth headers and HttpOnly cookies.  Without
an XSS hole to go along with it, it really isn't important AFAIK.

tim

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault