Hi
TRACE allows to do XSS even if sessions ids
have been "protected" by setting the new option
"httponly" cookie
httponly was developed by Microsoft to prevent
javascript to read the cookie value, it has been implemented
in IE 6 SP1
they do this to try to limit XSS attack surface,
see http://msdn2.microsoft.com/en-us/library/ms533046.aspx
By sending a TRACE HTTP request to Apache and reading back the content
with a xmlhttp object (by example), you will be able to see
the cookie value with client-side scripts, then do XSS to upload the
session id on your server
TRACE + XSS is also called XST, see
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
see also http://osvdb.org/877
HTH
Maxime
-----Message d'origine-----
De : listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] De
la part de pentestr
Envoyé : 17 janvier 2008 15:41
À : Pentest Mailinglist
Objet : http TRACE option
Hi,
what is the issue if TRACE option is enabled in web servers ? Nessus
results always display it as warning.
any idea...
Thanks in advance.
Rgds.
P.T.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
