WebApp Sec mailing list archives
Re: RES: rating TRACE
From: Robin Wood <robin@digi.ninja>
Date: Fri, 14 Nov 2014 11:48:06 +0000
On 14 November 2014 11:38, Mike Antcliffe <mikeantcliffe () logicallysecure com> wrote:
I completely agree. And one of the biggest problems is that disparity between ratings on tests performed by different companies can cause trust issues. Until the entire industry is singing from the same hymn sheet, it's always going to be an issue. In the meantime all we can do is provide the best description of the issue possible, and be ready to explain it in simpler terms if needed.
I think something to watch out for if you do have to explain why your results are rated differently to a previous report is not to insult or talk down on the previous tester. Give your reasons for your score and be prepared to back them up.
I've only had trace crop up as a finding once, and given that PUT and DELETE were also supported it wasn't too hard to write up :-)
I get it occasionally but not that often, most frequently it is listed in OPTIONS but not enabled. Robin
Mike Antcliffe Logically Secure -------- Original message -------- From: Robin Wood Date:13/11/2014 12:04 (GMT+00:00) To: vivir dolson Cc: webappsec () securityfocus com,fabio () andradesoto com br Subject: Re: RES: rating TRACE The general consensus seems to be low, apparently a QualysGuard scanner (which is ASV approved I've been told) rates it as informational and some, like Vivir rate it as medium. Such a simple issue and such a wide discrepancy of reporting levels all with their own justifications. Makes me feel sorry for end users who can have two companies test their systems and get two completely different outlooks on their risk level each with the tester being able to justify their findings. This may be OK for a company who has staff who can decode the findings and rework the levels to their own business but to a company who simply outsources the test and then acts on the results they are reliant on what they are told. Moving from TRACE to more complex or harder to understand bugs just makes this worse and more subjective. I wish I could suggest a way to fix it so everyone was rating based on the same levels. I know some people aren't optimistic about CVSSv3 being able to help fix it, I've not looked at it yet but lets hope it moves us a step closer. Anyone else have any ideas? Robin On 13 November 2014 02:04, vivir dolson <kcah4evil () gmail com> wrote:I have always rated TRACE as medium security issue, as this might be a vector for other security attacks. Besides that as a wisest security principles says what is unused should be disabled. Hence if you are not going to use TRACE method then in my opinion it should be switched off. It will prevent your app not only against XST, but also against undiscovered vulnerabilities related to this channel, which can be found in the future. Dayanand On 13-Nov-2014 7:09 AM, "Fábio Soto" <fabio () andradesoto com br> wrote:I'm rating it as low, and double check it, because it's commonly a false-positive. -----Mensagem original----- De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Em nome de Robin Wood Enviada em: quarta-feira, 12 de novembro de 2014 14:19 Para: webappsec () securityfocus com Assunto: rating TRACE I've always given TRACE enabled a rating of low in my reports and I know other testers who don't even bother reporting it but a client has asked for a CVSS score for it and in Googling I found that Rapid 7 rate it as a 6.0, that is high end of medium. http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabled Looking at the metrics they give it does appear to be a reasonable score and checking on the calculator I get a 5.8 http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:M/Au:N/C:P/I:P/A:N%29 I know newer browsers can't make TRACE requests through JavaScript but there is a commeon the OWASP site about potentially using Java to make the call. In my opinion if you've got Java running on a client machine then TRACE isn't what you are likely to be thinking about. https://www.owasp.org/index.php/Cross_Site_Tracing I'm curious what others think, do you rate TRACE as low or medium? Robin This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus -------------------------------------- This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- rating TRACE Robin Wood (Nov 12)
- Message not available
- Re: rating TRACE Robin Wood (Nov 12)
- Message not available
- Re: rating TRACE Robin Wood (Nov 12)
- RE: rating TRACE Kenneth Kron (Nov 12)
- Re: rating TRACE Robin Wood (Nov 12)
- Message not available
- Re: rating TRACE Robin Wood (Nov 12)
- Message not available
- Re: RES: rating TRACE Robin Wood (Nov 13)
- Re: RES: rating TRACE Martino Dell'Ambrogio (Nov 13)
- Re: RES: rating TRACE Simon Ward (Nov 14)
- Message not available
- Re: RES: rating TRACE Robin Wood (Nov 14)
- Re: rating TRACE Manolis Mavrofidis (Nov 14)
- Re: rating TRACE Simon Ward (Nov 14)
- Re: rating TRACE Robin Wood (Nov 14)
- Re: rating TRACE Simon Ward (Nov 14)