Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http TRACE option

From: Alexander Bondarenko <al.bondarenko () gmail com>
Date: Fri, 18 Jan 2008 23:51:58 +0300
Hi ! 

If i understand it right cookies are sometimes protected with httpOnly 
attribute from access with javascript on the web page (see below)

HttpOnly - If this attribute is set, then the cookie cannot be directly
accessed via client-side JavaScript, although not all browsers support
this restriction.
 
So in order to get cookies you need to use the TRACE method because it send 
all your info back and only using this request can you get cookies with 
javascript (in XSS attack for example).

P.S. Sorry for my English, it's not my native language.


On Thursday 17 January 2008 23:40, pentestr wrote:

Hi,
what is the issue if TRACE option is enabled in web servers ? Nessus
results always display it as warning.
any idea...

Thanks in advance.
Rgds.
P.T.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: