Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http TRACE option

From: Trancer <mtrancer () gmail com>
Date: Sun, 20 Jan 2008 02:39:47 +0200
From rfc2616:
"The TRACE method is used to invoke a remote, application-layer loop- back of the request message. The final recipient of the request SHOULD reflect the message received back to the client as the entity-body of a 200 (OK) response. The final recipient is either the origin server or the first proxy or gateway to receive a Max-Forwards value of zero (0) in the request (see section 14.31). A TRACE request MUST NOT include an entity." 

http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
The HTTP TRACE method can risk a web application using HttpOnly cookies to protect against cross-site scripting cookie-theft attacks. Exploiting the TRACE method allows an attacker to steal cookies despite the HttpOnly option. Jeremiah Grossman posted a paper about this kind of attack (cross-site tracing): 
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

pentestr wrote:

Hi,
what is the issue if TRACE option is enabled in web servers ? Nessus results always display it as warning. 
any idea...

Thanks in advance.
Rgds.
P.T.




--
Trancer
0nly Human.


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: