Re: TRACE used to increase the dangerous of XSS.

["Jordan Frank" <jordanf () shaw ca>]

This is not a bug in Internet Explorer. When an HTTP TRACE is performed, the
entire request, headers and all, is echoed back as the CONTENT BODY...that's
the key. The responseText property represents the body of the response, as a
string. Even if it didn't, the XMLHTTP object offers you access to the
headers through the getAllResponseHeaders and getResponseHeader methods. So
the XMLHTTP object is acting exactly as it's supposed to. Damnit, can't peg
this one on microsoft...

I initially wanted to post some message to the mailing lists talking about
how this is overhyped nonesense, and offers nothing new other than a
different way to get cookies. Then I read the paper and thought about it for
a while, and realized that this is in fact something "somewhat"
revolutionary. Maybe I'm a dummy, but I have yet to see any well-publicized
way to get the headers that will be sent to a webserver along with a
request. Yes, we could access the cookies through script, and we could use
XMLHTTP to issue a GET request and look at the Set-Cookie header, but we
didn't have a way to grab the Authentication information from the headers,
as they were only sent to the webserver, and not echoed back to the client.
So we needed a proxy, or a packet sniffer. Now we have a way of getting the
headers that are sent from the client to the server. That is useful, and new
(to me at least). If you can show me another way to get the authentication
information from the client through javascript then please let me know
(maybe i'm missing something really simple, I'm just a kid).

I think the problem was that this was a bit overhyped, it was misunderstood
(and therefore misreported) by a few news organizations, and it focused
mostly on cookies. I think it's way cooler that we can steal the
authentication credentials. But why does everyone get so up in arms about
the stupid issues, and ignore the technical merit? Can't we end the
bickering and just admit that this is a new technique that we did not know
about, and now we do. Damnit, those WhiteHat Security guys thought of
something we didn't...

Anyways, props to WhiteHat Security for sharing their findings. This adds
another tool to my arsenal. Damnit, that kid's gonna hack my hotmail
account...

jordan


----- Original Message -----
From: "Richard M. Smith" <rms () computerbytesman com>
To: <bugtraq () securityfocus com>; <webappsec () securityfocus com>;
<vulnwatch () vulnwatch org>
Sent: Wednesday, January 22, 2003 2:34 PM
Subject: RE: TRACE used to increase the dangerous of XSS.


| Isn't this a bug in Internet Explorer?  Shouldn't the Microsoft XMLHTTP
| ActiveX control be removing cookies from returned HTTP headers when a
| HTTP TRACE is done?  I know that this already happens when a GET or a
| POST is done with XMLHTTP.
|
| Richard M. Smith
| http://www.ComputerBytesMan.com
|
| -----Original Message-----
| From: Jeremiah Grossman [mailto:jeremiah () whitehatsec com]
| Sent: Wednesday, January 22, 2003 3:33 PM
| To: bugtraq () securityfocus com; webappsec () securityfocus com;
| vulnwatch () vulnwatch org
| Subject: TRACE used to increase the dangerous of XSS.
|
|
| WhiteHat Security has released a new white paper discussing a new class
| of web-app-sec attack (XST) which potentially affects all web servers
| supporting TRACE.
|
| The white paper explains all the detailed technical results we have
| found so far. We are fairly certain this particular issue will spark
| much debate and encourage those interested to read and comment.
|
|
| White Paper Mirrors:
| http://www.betanews.com/whitehat/WH-WhitePaper_XST_ebook.pdf
| http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
| http://www.boarder.org/WH-WhitePaper_XST_ebook.pdf
| http://www.forumgalaxy.com/whmirror/WhitePaper_screen.pdf
|
| Press Release
| http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt
|
|
|