WebApp Sec mailing list archives
Re: TRACE used to increase the dangerous of XSS.
From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: 22 Jan 2003 18:41:18 -0800
On Wed, 2003-01-22 at 18:28, Doug Monroe wrote:
Jeremiah Grossman wrote:WhiteHat Security has released a new white paper discussing a new class of web-app-sec attack (XST) which potentially affects all web servers supporting TRACE.thanks for the interesting findings. Respectfully- the apache solution proposed by RFP in the "Server Specific Recommendation" might alternatively be crafted as: RewriteEngine on RewriteCond %{REQUEST_METHOD} !^(GET|POST)$ RewriteRule .* - [F]
Cool, that should lock down strange HTTP request methods nicely. We tried something similar on ISS/Exchange and it turned off some functionality. Careful using this type of method if your using Application Servers which depend on request method other than GET or POST.
Current thread:
- Re: TRACE used to increase the dangerous of XSS. Jordan Frank (Jan 22)
- <Possible follow-ups>
- Re: TRACE used to increase the dangerous of XSS. Jeremiah Grossman (Jan 22)
- RE: TRACE used to increase the dangerous of XSS. Thor Larholm (Jan 23)
- RE: TRACE used to increase the dangerous of XSS. Thor Larholm (Jan 23)