RES: rating TRACE

[Fábio Soto <fabio () andradesoto com br>]

I'm rating it as low, and double check it, because it's commonly a false-positive.


-----Mensagem original-----
De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Em nome de Robin Wood
Enviada em: quarta-feira, 12 de novembro de 2014 14:19
Para: webappsec () securityfocus com
Assunto: rating TRACE

I've always given TRACE enabled a rating of low in my reports and I know other testers who don't even bother reporting 
it but a client has asked for a CVSS score for it and in Googling I found that Rapid 7 rate it as a 6.0, that is high 
end of medium.

http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabled

Looking at the metrics they give it does appear to be a reasonable score and checking on the calculator I get a 5.8

http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:M/Au:N/C:P/I:P/A:N%29

I know newer browsers can't make TRACE requests through JavaScript but there is a commeon the OWASP site about 
potentially using Java to make the call. In my opinion if you've got Java running on a client machine then TRACE isn't 
what you are likely to be thinking about.

https://www.owasp.org/index.php/Cross_Site_Tracing

I'm curious what others think, do you rate TRACE as low or medium?

Robin



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------