Re: RES: rating TRACE

[Robin Wood <robin@digi.ninja>]

On 14 November 2014 11:38, Mike Antcliffe
<mikeantcliffe () logicallysecure com> wrote:
> I completely agree. And one of the biggest problems is that disparity
> between ratings on tests performed by different companies can cause trust
> issues.
>
> Until the entire industry is singing from the same hymn sheet, it's always
> going to be an issue. In the meantime all we can do is provide the best
> description of the issue possible, and be ready to explain it in simpler
> terms if needed.

I think something to watch out for if you do have to explain why your
results are rated differently to a previous report is not to insult or
talk down on the previous tester. Give your reasons for your score and
be prepared to back them up.

> I've only had trace crop up as a finding once, and given that PUT and DELETE
> were also supported it wasn't too hard to write up :-)

I get it occasionally but not that often, most frequently it is listed
in OPTIONS but not enabled.

Robin

>  Mike  Antcliffe
>
>
> Logically Secure
>
>
> -------- Original message --------
> From: Robin Wood
> Date:13/11/2014 12:04 (GMT+00:00)
> To: vivir dolson
> Cc: webappsec () securityfocus com,fabio () andradesoto com br
> Subject: Re: RES: rating TRACE
>
> The general consensus seems to be low, apparently a QualysGuard
> scanner (which is ASV approved I've been told) rates it as
> informational and some, like Vivir rate it as medium.
>
> Such a simple issue and such a wide discrepancy of reporting levels
> all with their own justifications. Makes me feel sorry for end users
> who can have two companies test their systems and get two completely
> different outlooks on their risk level each with the tester being able
> to justify their findings. This may be OK for a company who has staff
> who can decode the findings and rework the levels to their own
> business but to a company who simply outsources the test and then acts
> on the results they are reliant on what they are told.
>
> Moving from TRACE to more complex or harder to understand bugs just
> makes this worse and more subjective. I wish I could suggest a way to
> fix it so everyone was rating based on the same levels. I know some
> people aren't optimistic about CVSSv3 being able to help fix it, I've
> not looked at it yet but lets hope it moves us a step closer. Anyone
> else have any ideas?
>
> Robin
>
> On 13 November 2014 02:04, vivir dolson <kcah4evil () gmail com> wrote:
> > I have always rated TRACE as medium security issue, as this might be a
> > vector for other security attacks. Besides that as a wisest security
> > principles says what is unused should be disabled. Hence if you are not
> > going to use TRACE method then in my opinion it should be switched off. It
> > will prevent your app not only against XST, but also against undiscovered
> > vulnerabilities related to this channel, which can be found in the future.
> >
> > Dayanand
> >
> > On 13-Nov-2014 7:09 AM, "Fábio Soto" <fabio () andradesoto com br> wrote:
> > > I'm rating it as low, and double check it, because it's commonly a
> > > false-positive.
> > >
> > >
> > > -----Mensagem original-----
> > > De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Em
> > > nome de Robin Wood
> > > Enviada em: quarta-feira, 12 de novembro de 2014 14:19
> > > Para: webappsec () securityfocus com
> > > Assunto: rating TRACE
> > >
> > > I've always given TRACE enabled a rating of low in my reports and I know
> > > other testers who don't even bother reporting it but a client has asked
> > > for
> > > a CVSS score for it and in Googling I found that Rapid 7 rate it as a
> > > 6.0,
> > > that is high end of medium.
> > >
> > > http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabled
> > >
> > > Looking at the metrics they give it does appear to be a reasonable score
> > > and checking on the calculator I get a 5.8
> > >
> > >
> > >
> > > http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:M/Au:N/C:P/I:P/A:N%29
> > >
> > > I know newer browsers can't make TRACE requests through JavaScript but
> > > there is a commeon the OWASP site about potentially using Java to make
> > > the
> > > call. In my opinion if you've got Java running on a client machine then
> > > TRACE isn't what you are likely to be thinking about.
> > >
> > > https://www.owasp.org/index.php/Cross_Site_Tracing
> > >
> > > I'm curious what others think, do you rate TRACE as low or medium?
> > >
> > > Robin
> > >
> > >
> > >
> > > This list is sponsored by Cenzic
> > > --------------------------------------
> > > Let Us Hack You. Before Hackers Do!
> > > It's Finally Here - The Cenzic Website HealthCheck. FREE.
> > > Request Yours Now!
> > > http://www.cenzic.com/2009HClaunch_Securityfocus
> > > --------------------------------------
> > >
> > >
> > >
> > >
> > > This list is sponsored by Cenzic
> > > --------------------------------------
> > > Let Us Hack You. Before Hackers Do!
> > > It's Finally Here - The Cenzic Website HealthCheck. FREE.
> > > Request Yours Now!
> > > http://www.cenzic.com/2009HClaunch_Securityfocus
> > > --------------------------------------
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------