Vulnerability Development mailing list archives
HTTP 1.1 TRACE Command
From: Clinton Smith <festive () iinet net au>
Date: Fri, 08 Feb 2002 10:49:59 +0800
Is there an HTTP protocol guru out there? In the name of Development, I have been playing with the HTTP TRACE command. If I understand the RFC correctly (which I may not). TRACE sets up a loopback of sorts for testing. Would it be possible to do something along the following lines: Send a TRACE directive to a webserver via a spoofed network broadcast address? To illicit a DOS of sorts (similar to smurf,fraggle)? or is there some mechanism preventing this? As the packets would be on 80 they would have some mobility though firewalls etc. What do you think? Kind Regards, Clinton Smith