Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: http TRACE option
From: Trancer <mtrancer () gmail com>
Date: Sun, 20 Jan 2008 02:39:47 +0200

From rfc2616:

"The TRACE method is used to invoke a remote, application-layer loop- back of the request message. The final recipient of the request SHOULD reflect the message received back to the client as the entity-body of a 200 (OK) response. The final recipient is either the origin server or the first proxy or gateway to receive a Max-Forwards value of zero (0) in the request (see section 14.31). A TRACE request MUST NOT include an entity."

http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

The HTTP TRACE method can risk a web application using HttpOnly cookies to protect against cross-site scripting cookie-theft attacks. Exploiting the TRACE method allows an attacker to steal cookies despite the HttpOnly option. Jeremiah Grossman posted a paper about this kind of attack (cross-site tracing):
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

pentestr wrote:
Hi,
what is the issue if TRACE option is enabled in web servers ? Nessus results always display it as warning.
any idea...

Thanks in advance.
Rgds.
P.T.



--
Trancer
0nly Human.


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]