WebApp Sec mailing list archives
Re: rating TRACE
From: Robin Wood <robin@digi.ninja>
Date: Wed, 12 Nov 2014 22:26:08 +0000
On 12 November 2014 22:24, Andrew van der Stock <vanderaj () greebo net> wrote:
Once you plug in the rest of CVSS and get past the base score, it turns out it's CVSS rating 1.0, which where I believe it to be. CVSS v2 Vector (AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C/CDP:N/TD:L/CR:ND/IR:L/AR:ND)
Fair enough, 1.0 is a much more realistic value for it
TRACE causes reflected XSS in really old browsers, which are not in common use today. I would still get folks to turn it off as it's attack surface reduction, but to concentrate on this one method, when DEBUG or a WebDav enabled for no good reason, this is the least of most folks' worries.
Same here, I recommend it is turned off as well. Robin
thanks Andrew On Thu, Nov 13, 2014 at 3:19 AM, Robin Wood <robin@digi.ninja> wrote:I've always given TRACE enabled a rating of low in my reports and I know other testers who don't even bother reporting it but a client has asked for a CVSS score for it and in Googling I found that Rapid 7 rate it as a 6.0, that is high end of medium. http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabled Looking at the metrics they give it does appear to be a reasonable score and checking on the calculator I get a 5.8 http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:M/Au:N/C:P/I:P/A:N%29 I know newer browsers can't make TRACE requests through JavaScript but there is a commeon the OWASP site about potentially using Java to make the call. In my opinion if you've got Java running on a client machine then TRACE isn't what you are likely to be thinking about. https://www.owasp.org/index.php/Cross_Site_Tracing I'm curious what others think, do you rate TRACE as low or medium? Robin This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- rating TRACE Robin Wood (Nov 12)
- Message not available
- Re: rating TRACE Robin Wood (Nov 12)
- Message not available
- Re: rating TRACE Robin Wood (Nov 12)
- RE: rating TRACE Kenneth Kron (Nov 12)
- Re: rating TRACE Robin Wood (Nov 12)
- Message not available
- Re: rating TRACE Robin Wood (Nov 12)
- Message not available
- Re: RES: rating TRACE Robin Wood (Nov 13)
- Re: RES: rating TRACE Martino Dell'Ambrogio (Nov 13)
- Re: RES: rating TRACE Simon Ward (Nov 14)
- Message not available
- Re: RES: rating TRACE Robin Wood (Nov 14)
- Re: rating TRACE Manolis Mavrofidis (Nov 14)
- Re: rating TRACE Simon Ward (Nov 14)
- Re: rating TRACE Robin Wood (Nov 14)