Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: http TRACE option
From: "Maxime Ducharme" <mducharme () cybergeneration com>
Date: Fri, 18 Jan 2008 14:20:35 -0500


Hi 

TRACE allows to do XSS even if sessions ids
have been "protected" by setting the new option
"httponly" cookie

httponly was developed by Microsoft to prevent
javascript to read the cookie value, it has been implemented
in IE 6 SP1

they do this to try to limit XSS attack surface,
see http://msdn2.microsoft.com/en-us/library/ms533046.aspx

By sending a TRACE HTTP request to Apache and reading back the content
with a xmlhttp object (by example), you will be able to see
the cookie value with client-side scripts, then do XSS to upload the
session id on your server

TRACE + XSS is also called XST, see
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

see also http://osvdb.org/877

HTH

Maxime

 

-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De
la part de pentestr
Envoyé : 17 janvier 2008 15:41
À : Pentest Mailinglist
Objet : http TRACE option

Hi,
what is the issue if TRACE option is enabled in web servers ? Nessus 
results always display it as warning.
any idea...

Thanks in advance.
Rgds.
P.T.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]