WebApp Sec mailing list archives
Re: TRACE used to increase the dangerous of XSS.
From: "Jordan Frank" <jordanf () shaw ca>
Date: Wed, 22 Jan 2003 17:45:50 -0800
This is not a bug in Internet Explorer. When an HTTP TRACE is performed, the entire request, headers and all, is echoed back as the CONTENT BODY...that's the key. The responseText property represents the body of the response, as a string. Even if it didn't, the XMLHTTP object offers you access to the headers through the getAllResponseHeaders and getResponseHeader methods. So the XMLHTTP object is acting exactly as it's supposed to. Damnit, can't peg this one on microsoft... I initially wanted to post some message to the mailing lists talking about how this is overhyped nonesense, and offers nothing new other than a different way to get cookies. Then I read the paper and thought about it for a while, and realized that this is in fact something "somewhat" revolutionary. Maybe I'm a dummy, but I have yet to see any well-publicized way to get the headers that will be sent to a webserver along with a request. Yes, we could access the cookies through script, and we could use XMLHTTP to issue a GET request and look at the Set-Cookie header, but we didn't have a way to grab the Authentication information from the headers, as they were only sent to the webserver, and not echoed back to the client. So we needed a proxy, or a packet sniffer. Now we have a way of getting the headers that are sent from the client to the server. That is useful, and new (to me at least). If you can show me another way to get the authentication information from the client through javascript then please let me know (maybe i'm missing something really simple, I'm just a kid). I think the problem was that this was a bit overhyped, it was misunderstood (and therefore misreported) by a few news organizations, and it focused mostly on cookies. I think it's way cooler that we can steal the authentication credentials. But why does everyone get so up in arms about the stupid issues, and ignore the technical merit? Can't we end the bickering and just admit that this is a new technique that we did not know about, and now we do. Damnit, those WhiteHat Security guys thought of something we didn't... Anyways, props to WhiteHat Security for sharing their findings. This adds another tool to my arsenal. Damnit, that kid's gonna hack my hotmail account... jordan ----- Original Message ----- From: "Richard M. Smith" <rms () computerbytesman com> To: <bugtraq () securityfocus com>; <webappsec () securityfocus com>; <vulnwatch () vulnwatch org> Sent: Wednesday, January 22, 2003 2:34 PM Subject: RE: TRACE used to increase the dangerous of XSS. | Isn't this a bug in Internet Explorer? Shouldn't the Microsoft XMLHTTP | ActiveX control be removing cookies from returned HTTP headers when a | HTTP TRACE is done? I know that this already happens when a GET or a | POST is done with XMLHTTP. | | Richard M. Smith | http://www.ComputerBytesMan.com | | -----Original Message----- | From: Jeremiah Grossman [mailto:jeremiah () whitehatsec com] | Sent: Wednesday, January 22, 2003 3:33 PM | To: bugtraq () securityfocus com; webappsec () securityfocus com; | vulnwatch () vulnwatch org | Subject: TRACE used to increase the dangerous of XSS. | | | WhiteHat Security has released a new white paper discussing a new class | of web-app-sec attack (XST) which potentially affects all web servers | supporting TRACE. | | The white paper explains all the detailed technical results we have | found so far. We are fairly certain this particular issue will spark | much debate and encourage those interested to read and comment. | | | White Paper Mirrors: | http://www.betanews.com/whitehat/WH-WhitePaper_XST_ebook.pdf | http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf | http://www.boarder.org/WH-WhitePaper_XST_ebook.pdf | http://www.forumgalaxy.com/whmirror/WhitePaper_screen.pdf | | Press Release | http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt | | |
Current thread:
- Re: TRACE used to increase the dangerous of XSS. Jordan Frank (Jan 22)
- <Possible follow-ups>
- Re: TRACE used to increase the dangerous of XSS. Jeremiah Grossman (Jan 22)
- RE: TRACE used to increase the dangerous of XSS. Thor Larholm (Jan 23)
- RE: TRACE used to increase the dangerous of XSS. Thor Larholm (Jan 23)