Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NSE Script http-methods.nse

From: David Fifield <david () bamsoftware com>
Date: Mon, 22 Feb 2010 14:43:35 -0700
On Sun, Feb 21, 2010 at 12:49:23AM +0100, Daniel Roethlisberger wrote:

David Fifield <david () bamsoftware com> 2010-02-18:

The uninteresting set {GET, HEAD, POST, OPTIONS, TRACE} just comes from
a quick observation of a handful of web servers. I welcome suggestions
of methods to be removed from or added to the set.


I'd vote for removing TRACE from the uninteresting set.  TRACE
can be security relevant in the context of Cross-Site Tracing
attacks (web app vulnerable to XSS, session cookie has HttpOnly
flag set or NTLM or basic auth is used, XSS payload does a TRACE
request back to the web server, server reflects request headers
in response body, XSS payload can now read session cookie or auth
headers).

http://www.owasp.org/index.php/Cross_Site_Tracing


Okay, sounds good. I was not aware of that possibility. I removed TRACE
from the uninteresting set.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: