Fw: TRACE used to increase the dangerous of XSS.

["Thor Larholm" <lists.netsys.com () jscript dk>]

----- Original Message -----
From: "Thor Larholm" <thor () pivx com>
To: <jeremiah () whitehatsec com>; <bugtraq () securityfocus com>;
<webappsec () securityfocus com>; <vulnwatch () vulnwatch org>
Sent: Thursday, January 23, 2003 10:10 AM
Subject: RE: TRACE used to increase the dangerous of XSS.


> I just finished reading this so-called whitepaper and the press release,
and
> all I can say is hyped, sensationalised snakeoil.
>
> The HttpOnly cookie feature, a proprietary Microsoft extension designed to
> mitigate a single aspect of XSS, can be circumvented in myriads of ways.
In
> fact, reading the HTTP response in any other way than through the
> document.cookie property immediately exposed through JS will return the
> cookie to you. Calling from JS to a Java applet that in turn parses a HTTP
> response, using a Flash movie (or most any other plugin) or even
needlessly
> complicating matters by parsing the BODY of a TRACE response received
> through XMLHTTP - such as this 'whitepaper' suggests.
>
> By design, HttpOnly makes the cookie available only through the HTTP
> headers - which, among many others, the XMLHTTP control can read.
>
> What we end up with from WhiteHat Security is a way to circumvent the
> HttpOnly cookie feature in IE6SP1, nothing else. In itself, worthy of a
note
> in a roundup of browser problems or a comment in a reply to the posting
> announcing the HttpOnly feature on Bugtraq - but hardly a whitepaper,
> pressrelease and blurbs such as comparing this to Code Red and Nimda or
> calling this a flaw in all web servers worldwide. This is simply not "a
new
> class of web-app-sec attack" or a flaw in TRACE, as hyped by WhiteHat
> Security.
>
> System administrators should most definitely not waste their precious time
> on implementing the silly workarounds suggested, such as disabling
> TRACE/TRACK requests. The one, and only, impact the discovery from
WhiteHat
> Security has is that it re-enables cookie reading from JS despite if you
had
> already cared to specifically alter your webapplication to accomodate
this.
> All the boojah and fuss about not requiring an actual XSS in the
> webapplication or being able to impose XSS on arbitrary foreign domains,
> factors that would indeed be a cause of concern, is utterly and completely
> unrelated to the findings of WhiteHat Security. These are mere
> demonstrations of already publicly known unpatched vulnerabilities in
> Internet Explorer ( of which there are currently 19 -
> http://www.pivx.com/larholm/unpatched/  ).
>
> WhiteHat Security paired a minor low-impact notice of their own with
> existing proof-of-concept code from several critical high-impact
> vulnerabilities discovered, and long disclosed, by thirdparty researchers,
> dubbed it their own and wrote up a fancy press release filled with
> inaccuracies announcing a indifferent 'whitepaper' scathered with obscure
> irrelevancies.
>
> In short, snakeoil.
>
> Regards
> Thor Larholm
> PivX Solutions, LLC - Senior Security Researcher
>
> Latest PivX research: Multi-vendor Game Server DDoS Vulnerability
> http://www.pivx.com/press_releases/mk_mk001.html
>
>
> -----Original Message-----
> From: Jeremiah Grossman [mailto:jeremiah () whitehatsec com]
> Sent: 22. januar 2003 21:33
> To: bugtraq () securityfocus com; webappsec () securityfocus com;
> vulnwatch () vulnwatch org
> Subject: TRACE used to increase the dangerous of XSS.
>
>
> WhiteHat Security has released a new white paper discussing a new class
> of web-app-sec attack (XST) which potentially affects all web servers
> supporting TRACE.
>
> The white paper explains all the detailed technical results we have
> found so far. We are fairly certain this particular issue will spark
> much debate and encourage those interested to read and comment.
>
>
> White Paper Mirrors:
> http://www.betanews.com/whitehat/WH-WhitePaper_XST_ebook.pdf
> http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
> http://www.boarder.org/WH-WhitePaper_XST_ebook.pdf
> http://www.forumgalaxy.com/whmirror/WhitePaper_screen.pdf
>
> Press Release
> http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html