Re: http TRACE option

[Chris McNab <chris.mcnab () trustmatta com>]

Hi,

Here's the HTTP TRACE discussion from the 2nd edition of my book 
(http://www.oreilly.com/catalog/9780596510305/)

-- 8< -- snip -- 8< -- snip -- 8< -- snip -- 8< --

TRACE vulnerabilities

If the TRACE method is supported and the web server is running a poorly 
written application that is vulnerable to cross-site scripting (XSS), a 
cross-site tracing (XST) attack can be launched to compromise user 
cookie and session information. If the web server is running a static 
site with no server-side application or processing of user data, the 
impact of TRACE support is significantly reduced.

Enhancements to the security of web browsers and clients (such as 
Internet Explorer 6 SP1 and later) mean that standard XSS attacks are no 
longer widely effective. XST is an attack class developed by Jeremiah 
Grossman in 2003 that allows authentication details presented in HTTP 
headers (including cookies and base64-encoded authentication strings) to 
be compromised using a combination of XSS, client-side weaknesses, and 
support for the HTTP TRACE method server-side. Grossman developed the 
attack class in response to the enhanced security  mechanisms introduced 
by Microsoft in Internet Explorer 6 SP1, which meant that the 
effectiveness of XSS was significantly reduced.

Papers discussing XST can be found at the following locations:

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.securiteam.com/securityreviews/5YP0L1FHFC.html
http://en.wikipedia.org/wiki/Cross-site_tracing

XST depends on the following to launch an effective remote attack:

Domain restriction bypass; The ability for a client-side script to 
bypass browser security policy settings and send data to web sites 
outside the domain that is being accessed

HTTP request-enabling technologies; Support for scripting languages 
client-side that can establish outbound HTTP connections (to push the 
stolen authentication credentials to a given location)

TRACE method support; The target web server that supports the TRACE method

Upon finding and seeding an XSS bug within the target web site, we call 
scripting languages client-side that perform a TRACE to the web server, 
and then push the output to our malicious server.

Good background information relating to basic XSS attacks can be found 
at the following locations:

http://www.spidynamics.com/whitepapers/SPIcross-sitescripting.pdf
http://www.owasp.org/index.php/Cross_Site_Scripting
http://www.cert.org/archive/pdf/cross_site_scripting.pdf
http://en.wikipedia.org/wiki/Cross-site_scripting

-- 8< -- snip -- 8< -- snip -- 8< -- snip -- 8< --

Hope that helps,

Chris


pentestr wrote:
> Hi,
> what is the issue if TRACE option is enabled in web servers ? Nessus 
> results always display it as warning.
> any idea...
>
> Thanks in advance.
> Rgds.
> P.T.

--
Chris McNab
Technical Director

Matta Consulting Limited
Falstaff House
34 Bardolph Road
Richmond upon Thames
TW9 2LH

T: 08700 77 11 00
W: www.trustmatta.com

The information contained in this email is intended only for the 
person(s) to whom it is addressed and may contain confidential or 
privileged material or information that is exempt from disclosure under 
applicable law. Information and attachments may be used only for the 
purpose for which they are sent, and copying, disclosure or distribution 
of any information contained herein is strictly prohibited.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------