Home page logo

pen-test logo Penetration Testing mailing list archives

Re: http TRACE option
From: Trancer <mtrancer () gmail com>
Date: Sun, 20 Jan 2008 02:39:47 +0200

From rfc2616:

"The TRACE method is used to invoke a remote, application-layer loop- back of the request message. The final recipient of the request SHOULD reflect the message received back to the client as the entity-body of a 200 (OK) response. The final recipient is either the origin server or the first proxy or gateway to receive a Max-Forwards value of zero (0) in the request (see section 14.31). A TRACE request MUST NOT include an entity."


The HTTP TRACE method can risk a web application using HttpOnly cookies to protect against cross-site scripting cookie-theft attacks. Exploiting the TRACE method allows an attacker to steal cookies despite the HttpOnly option. Jeremiah Grossman posted a paper about this kind of attack (cross-site tracing):

pentestr wrote:
what is the issue if TRACE option is enabled in web servers ? Nessus results always display it as warning.
any idea...

Thanks in advance.

0nly Human.

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]