Hi,
Here's the HTTP TRACE discussion from the 2nd edition of my book
(http://www.oreilly.com/catalog/9780596510305/)
-- 8< -- snip -- 8< -- snip -- 8< -- snip -- 8< --
TRACE vulnerabilities
If the TRACE method is supported and the web server is running a poorly
written application that is vulnerable to cross-site scripting (XSS), a
cross-site tracing (XST) attack can be launched to compromise user
cookie and session information. If the web server is running a static
site with no server-side application or processing of user data, the
impact of TRACE support is significantly reduced.
Enhancements to the security of web browsers and clients (such as
Internet Explorer 6 SP1 and later) mean that standard XSS attacks are no
longer widely effective. XST is an attack class developed by Jeremiah
Grossman in 2003 that allows authentication details presented in HTTP
headers (including cookies and base64-encoded authentication strings) to
be compromised using a combination of XSS, client-side weaknesses, and
support for the HTTP TRACE method server-side. Grossman developed the
attack class in response to the enhanced security mechanisms introduced
by Microsoft in Internet Explorer 6 SP1, which meant that the
effectiveness of XSS was significantly reduced.
Papers discussing XST can be found at the following locations:
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.securiteam.com/securityreviews/5YP0L1FHFC.html
http://en.wikipedia.org/wiki/Cross-site_tracing
XST depends on the following to launch an effective remote attack:
Domain restriction bypass; The ability for a client-side script to
bypass browser security policy settings and send data to web sites
outside the domain that is being accessed
HTTP request-enabling technologies; Support for scripting languages
client-side that can establish outbound HTTP connections (to push the
stolen authentication credentials to a given location)
TRACE method support; The target web server that supports the TRACE method
Upon finding and seeding an XSS bug within the target web site, we call
scripting languages client-side that perform a TRACE to the web server,
and then push the output to our malicious server.
Good background information relating to basic XSS attacks can be found
at the following locations:
http://www.spidynamics.com/whitepapers/SPIcross-sitescripting.pdf
http://www.owasp.org/index.php/Cross_Site_Scripting
http://www.cert.org/archive/pdf/cross_site_scripting.pdf
http://en.wikipedia.org/wiki/Cross-site_scripting
-- 8< -- snip -- 8< -- snip -- 8< -- snip -- 8< --
Hope that helps,
Chris
pentestr wrote:
Hi,
what is the issue if TRACE option is enabled in web servers ? Nessus
results always display it as warning.
any idea...
Thanks in advance.
Rgds.
P.T.
--
Chris McNab
Technical Director
Matta Consulting Limited
Falstaff House
34 Bardolph Road
Richmond upon Thames
TW9 2LH
T: 08700 77 11 00
W: www.trustmatta.com
The information contained in this email is intended only for the
person(s) to whom it is addressed and may contain confidential or
privileged material or information that is exempt from disclosure under
applicable law. Information and attachments may be used only for the
purpose for which they are sent, and copying, disclosure or distribution
of any information contained herein is strictly prohibited.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
