WebApp Sec mailing list archives

Re: TRACE used to increase the dangerous of XSS.

From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: 22 Jan 2003 18:41:18 -0800


On Wed, 2003-01-22 at 18:28, Doug Monroe wrote:

Jeremiah Grossman wrote:


WhiteHat Security has released a new white paper discussing a new class
of web-app-sec attack (XST) which potentially affects all web servers
supporting TRACE.


thanks for the interesting findings. 
Respectfully- the apache solution proposed by RFP in the "Server Specific
Recommendation" might alternatively be crafted as:
  RewriteEngine on
  RewriteCond %{REQUEST_METHOD}  !^(GET|POST)$
  RewriteRule .* - [F]



Cool, that should lock down strange HTTP request methods nicely. We
tried something similar on ISS/Exchange and it turned off some
functionality.

Careful using this type of method if your using Application Servers
which depend on request method other than GET or POST.

Current thread:

Re: TRACE used to increase the dangerous of XSS. Jordan Frank (Jan 22)
- <Possible follow-ups>
- Re: TRACE used to increase the dangerous of XSS. Jeremiah Grossman (Jan 22)
- RE: TRACE used to increase the dangerous of XSS. Thor Larholm (Jan 23)
- RE: TRACE used to increase the dangerous of XSS. Thor Larholm (Jan 23)