RE: rating TRACE

[Kenneth Kron <kenneth.kron () truvantis com>]

Regarding PCI scanning.  There are quarterly scans (ASV) that will absolutely be a fail if trace is enabled.  I think 
this is correct as there is really no functional value to giving the user all of this detail and
You are providing a very detailed map to you attack surface.

Other interim scans could lower the priority if there were some production need to diagnose a behavior and enabling 
trace was the best way to diagnose it but that scenario is uncommon to say the least and you would have to be 
diagnosing something serious enough to warrant publicly providing a detailed map to your attack surface.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Robin Wood
Sent: Wednesday, November 12, 2014 2:23 PM
To: Ryan Dewhurst
Cc: webappsec () securityfocus com
Subject: Re: rating TRACE

On 12 November 2014 22:20, Ryan Dewhurst <ryandewhurst () gmail com> wrote:
> The Java applet thing is because it can send a cross-domain TRACE request.
> You would need the victim to visit a site you control first, which 
> would then send the cross-domain TRACE to the target site, revealing 
> your HTTPOnly cookies from the target site.

I get that but they would have to allow the applet to run which can open them up to a lot more serious attack than 
stealing cookies

> I think you can lower the CVSS score if you do not agree with it but 
> you need to add a note saying that you have lowered it and your 
> reasons why. I'm not too sure about this though, but something I've heard.

Don't know, I'm not a QSA and don't pretend to be one.

Robin

> On Wed, Nov 12, 2014 at 11:16 PM, Robin Wood <robin@digi.ninja> wrote:
> > On 12 November 2014 22:09, Ryan Dewhurst <ryandewhurst () gmail com> wrote:
> > > I added this link to that OWASP page a while back which explains 
> > > the Java applet method - 
> > > http://seckb.yehg.net/2012/06/xss-gaining-access-to-httponly-cookie
> > > .html
> > >
> > > Not sure if it still works though, haven't read that post in a while.
> >
> > I'll have a look but if you can run Java applets there are a lot 
> > worse attacks you can do beyond grabbing cookies.
> >
> > > I'd need to double check but I think I give it a low.
> >
> > General concensus on Twitter is low as well but I realised that if 
> > you go with the basic CVSS and get a 6.0 then that is a PCI fail, a 
> > QSA friend of ours told me that if that happens it can't be ignored 
> > and they would be failed till it was fixed.
> >
> > Imagine not being able to take payments because you've got TRACE 
> > enabled and a tester just blindly trusted the CVSS basic calculator!
> >
> > Robin
> >
> > > On Wed, Nov 12, 2014 at 5:19 PM, Robin Wood <robin@digi.ninja> wrote:
> > > > I've always given TRACE enabled a rating of low in my reports and 
> > > > I know other testers who don't even bother reporting it but a 
> > > > client has asked for a CVSS score for it and in Googling I found 
> > > > that Rapid 7 rate it as a 6.0, that is high end of medium.
> > > >
> > > > http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabl
> > > > ed
> > > >
> > > > Looking at the metrics they give it does appear to be a reasonable 
> > > > score and checking on the calculator I get a 5.8
> > > >
> > > >
> > > >
> > > > http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/A
> > > > C:M/Au:N/C:P/I:P/A:N%29
> > > >
> > > > I know newer browsers can't make TRACE requests through JavaScript 
> > > > but there is a commeon the OWASP site about potentially using Java 
> > > > to make the call. In my opinion if you've got Java running on a 
> > > > client machine then TRACE isn't what you are likely to be thinking about.
> > > >
> > > > https://www.owasp.org/index.php/Cross_Site_Tracing
> > > >
> > > > I'm curious what others think, do you rate TRACE as low or medium?
> > > >
> > > > Robin
> > > >
> > > >
> > > >
> > > > This list is sponsored by Cenzic
> > > > --------------------------------------
> > > > Let Us Hack You. Before Hackers Do!
> > > > It's Finally Here - The Cenzic Website HealthCheck. FREE.
> > > > Request Yours Now!
> > > > http://www.cenzic.com/2009HClaunch_Securityfocus
> > > > --------------------------------------



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------