WebApp Sec mailing list archives
Re: [WEB SECURITY] XST
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Tue, 21 Mar 2006 15:44:52 +0200
On 21 Mar 2006 at 10:31, Frederic Charpentier wrote:
hi all, I am wondering if someone knowns a way to perform a xmlhttp request with TRACE on an iexplore 6 SP1. Microsoft seems to block the use of the open("TRACE",url,false"). I saw on this list that IE can be tricked using open("\r\nTRACE",url,false), but it doesn't work with the http server I use (cisco web vpn gateway). So, if there's another way to do that ...
Well, you can try the technique I dubbed "HTTP Request splitting", see "Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a lot more..." by yours truly, http://www.webappsec.org/lists/websecurity/archive/2005-09/msg00019.html Try something like this: var x = new ActiveXObject("Microsoft.XMLHTTP"); x.open("GET\t/\tHTTP/1.0\r\nHost:\twww.target.site\r\n\r\nTRACE\t/\tHTTP/1.0\r\nFoobar:", "/",false); x.send(); As you can see, the TRACE request is actually the SECOND request send. This technique assumes your web server treats HT (tabs) as SPace - if the web server in question doesn't treat HT as SP, then you're out of luck (with this technique, anyway). Also, this doesn't grant you access to the TRACE response, but then again, you didn't ask for it ;-) I think it can be tinkered to get access to the response, if you can arrange for the first response to end on an IE buffer boundary (1KB - see "Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, and Other Topics" by yours truly, http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf, p. 19). So you need to pad it, or possibly trim it (maybe by using Content-Range request? interesting idea, though I never tried it), and then make sure the next request you control is sent over the same TCP connection - and then you need to access the "response" to that request, which is actually the TRACE response. Good luck, -Amit ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- How to Create Secure Web Applications with Struts bugtraq (Mar 19)
- Re: [WEB SECURITY] How to Create Secure Web Applications with Struts Stephen de Vries (Mar 20)
- Re: [WEB SECURITY] How to Create Secure Web Applications with Struts Pilon Mntry (Mar 21)
- A Modular Approach to Data Validation in Web Applications Stephen de Vries (Mar 27)
- Re: [WEB SECURITY] How to Create Secure Web Applications with Struts George Capehart (Mar 21)
- XST Frederic Charpentier (Mar 21)
- Re: [WEB SECURITY] XST Amit Klein (AKsecurity) (Mar 21)
- Re: [WEB SECURITY] How to Create Secure Web Applications with Struts Pilon Mntry (Mar 21)
- Re: [WEB SECURITY] How to Create Secure Web Applications with Struts Stephen de Vries (Mar 20)