Vulnerability Development mailing list archives

HTTP 1.1 TRACE Command

From: Clinton Smith <festive () iinet net au>
Date: Fri, 08 Feb 2002 10:49:59 +0800

Is there an HTTP protocol guru out there?

In the name of Development, I have been playing with the HTTP
TRACE command. If I understand the RFC correctly (which I may not).

TRACE sets up a loopback of sorts for testing.

Would it be possible to do something along the following lines:

Send a TRACE directive to a webserver via a spoofed network broadcast address?
To illicit a DOS of sorts (similar to smurf,fraggle)? or is there some mechanism
preventing this?

As the packets would be on 80 they would have some mobility though firewalls etc.

What do you think?

Kind Regards,
Clinton Smith

Current thread:

ssh -l0rt- (Feb 06)
- Re: ssh Jose Nazario (Feb 06)
  - Re: ssh -l0rt- (Feb 06)
    - Re: ssh Jose Nazario (Feb 06)
    - Re: ssh Jose Nazario (Feb 06)
    - Re: ssh Olaf Kirch (Feb 07)
    - Re: ssh Jose Nazario (Feb 07)
    - Re: ssh Michal Zalewski (Feb 07)
    - HTTP 1.1 TRACE Command Clinton Smith (Feb 07)
    - Re: HTTP 1.1 TRACE Command Clinton Smith (Feb 08)