Full Disclosure mailing list archives
Fw: TRACE used to increase the dangerous of XSS.
From: "Thor Larholm" <lists.netsys.com () jscript dk>
Date: Thu, 23 Jan 2003 10:12:03 +0100
----- Original Message ----- From: "Thor Larholm" <thor () pivx com> To: <jeremiah () whitehatsec com>; <bugtraq () securityfocus com>; <webappsec () securityfocus com>; <vulnwatch () vulnwatch org> Sent: Thursday, January 23, 2003 10:10 AM Subject: RE: TRACE used to increase the dangerous of XSS.
I just finished reading this so-called whitepaper and the press release,
and
all I can say is hyped, sensationalised snakeoil. The HttpOnly cookie feature, a proprietary Microsoft extension designed to mitigate a single aspect of XSS, can be circumvented in myriads of ways.
In
fact, reading the HTTP response in any other way than through the document.cookie property immediately exposed through JS will return the cookie to you. Calling from JS to a Java applet that in turn parses a HTTP response, using a Flash movie (or most any other plugin) or even
needlessly
complicating matters by parsing the BODY of a TRACE response received through XMLHTTP - such as this 'whitepaper' suggests. By design, HttpOnly makes the cookie available only through the HTTP headers - which, among many others, the XMLHTTP control can read. What we end up with from WhiteHat Security is a way to circumvent the HttpOnly cookie feature in IE6SP1, nothing else. In itself, worthy of a
note
in a roundup of browser problems or a comment in a reply to the posting announcing the HttpOnly feature on Bugtraq - but hardly a whitepaper, pressrelease and blurbs such as comparing this to Code Red and Nimda or calling this a flaw in all web servers worldwide. This is simply not "a
new
class of web-app-sec attack" or a flaw in TRACE, as hyped by WhiteHat Security. System administrators should most definitely not waste their precious time on implementing the silly workarounds suggested, such as disabling TRACE/TRACK requests. The one, and only, impact the discovery from
WhiteHat
Security has is that it re-enables cookie reading from JS despite if you
had
already cared to specifically alter your webapplication to accomodate
this.
All the boojah and fuss about not requiring an actual XSS in the webapplication or being able to impose XSS on arbitrary foreign domains, factors that would indeed be a cause of concern, is utterly and completely unrelated to the findings of WhiteHat Security. These are mere demonstrations of already publicly known unpatched vulnerabilities in Internet Explorer ( of which there are currently 19 - http://www.pivx.com/larholm/unpatched/ ). WhiteHat Security paired a minor low-impact notice of their own with existing proof-of-concept code from several critical high-impact vulnerabilities discovered, and long disclosed, by thirdparty researchers, dubbed it their own and wrote up a fancy press release filled with inaccuracies announcing a indifferent 'whitepaper' scathered with obscure irrelevancies. In short, snakeoil. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher Latest PivX research: Multi-vendor Game Server DDoS Vulnerability http://www.pivx.com/press_releases/mk_mk001.html -----Original Message----- From: Jeremiah Grossman [mailto:jeremiah () whitehatsec com] Sent: 22. januar 2003 21:33 To: bugtraq () securityfocus com; webappsec () securityfocus com; vulnwatch () vulnwatch org Subject: TRACE used to increase the dangerous of XSS. WhiteHat Security has released a new white paper discussing a new class of web-app-sec attack (XST) which potentially affects all web servers supporting TRACE. The white paper explains all the detailed technical results we have found so far. We are fairly certain this particular issue will spark much debate and encourage those interested to read and comment. White Paper Mirrors: http://www.betanews.com/whitehat/WH-WhitePaper_XST_ebook.pdf http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf http://www.boarder.org/WH-WhitePaper_XST_ebook.pdf http://www.forumgalaxy.com/whmirror/WhitePaper_screen.pdf Press Release http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: TRACE used to increase the dangerous of XSS. Richard M. Smith (Jan 22)
- Re: RE: TRACE used to increase the dangerous of XSS. Thor Larholm (Jan 23)
- RE: RE: TRACE used to increase the dangerous of XSS. Richard M. Smith (Jan 23)
- Re: RE: TRACE used to increase the dangerous of XSS. Georgi Guninski (Jan 23)
- RE: RE: TRACE used to increase the dangerous of XSS. Richard M. Smith (Jan 23)
- RE: RE: TRACE used to increase the dangerous of XSS. Richard M. Smith (Jan 23)
- RE: RE: TRACE used to increase the dangerous of XSS. Richard M. Smith (Jan 23)
- Re: RE: TRACE used to increase the dangerous of XSS. Thor Larholm (Jan 23)
- <Possible follow-ups>
- Fw: TRACE used to increase the dangerous of XSS. Thor Larholm (Jan 23)