Re: rating TRACE

[Seth Art <sethsec () gmail com>]

Robin,

If you are lucky, it might be a false positive.  I have seen cases
where OPTIONS tells you that TRACE is supported, but if you try the
TRACE method, you get a 501 Not Implemented.   Worth a try.

Seth

On Wed, Nov 12, 2014 at 11:19 AM, Robin Wood <robin@digi.ninja> wrote:
> I've always given TRACE enabled a rating of low in my reports and I
> know other testers who don't even bother reporting it but a client has
> asked for a CVSS score for it and in Googling I found that Rapid 7
> rate it as a 6.0, that is high end of medium.
>
> http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabled
>
> Looking at the metrics they give it does appear to be a reasonable
> score and checking on the calculator I get a 5.8
>
> http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:M/Au:N/C:P/I:P/A:N%29
>
> I know newer browsers can't make TRACE requests through JavaScript but
> there is a commeon the OWASP site about potentially using Java to make
> the call. In my opinion if you've got Java running on a client machine
> then TRACE isn't what you are likely to be thinking about.
>
> https://www.owasp.org/index.php/Cross_Site_Tracing
>
> I'm curious what others think, do you rate TRACE as low or medium?
>
> Robin
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------