WebApp Sec mailing list archives

Re: rating TRACE

From: Robin Wood <robin@digi.ninja>
Date: Fri, 14 Nov 2014 08:48:52 +0000

On 13 November 2014 16:13, Seth Art <sethsec () gmail com> wrote:

Robin,

If you are lucky, it might be a false positive.  I have seen cases
where OPTIONS tells you that TRACE is supported, but if you try the
TRACE method, you get a 501 Not Implemented.   Worth a try.


You find that a lot with IIS, OPTIONS almost always says it is there
but then it is rarely enabled. Shows why you should always do false
positive checking.

Robin

Seth

On Wed, Nov 12, 2014 at 11:19 AM, Robin Wood <robin@digi.ninja> wrote:

I've always given TRACE enabled a rating of low in my reports and I
know other testers who don't even bother reporting it but a client has
asked for a CVSS score for it and in Googling I found that Rapid 7
rate it as a 6.0, that is high end of medium.

http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabled

Looking at the metrics they give it does appear to be a reasonable
score and checking on the calculator I get a 5.8

http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:M/Au:N/C:P/I:P/A:N%29

I know newer browsers can't make TRACE requests through JavaScript but
there is a commeon the OWASP site about potentially using Java to make
the call. In my opinion if you've got Java running on a client machine
then TRACE isn't what you are likely to be thinking about.

https://www.owasp.org/index.php/Cross_Site_Tracing

I'm curious what others think, do you rate TRACE as low or medium?

Robin



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Current thread:

RE: rating TRACE, (continued)
- - - RE: rating TRACE Kenneth Kron (Nov 12)
  - Message not available
    - Re: rating TRACE Robin Wood (Nov 12)
- RES: rating TRACE Fábio Soto (Nov 12)
  - Message not available
    - Re: RES: rating TRACE Robin Wood (Nov 13)
    - Re: RES: rating TRACE Martino Dell'Ambrogio (Nov 13)
    - Re: RES: rating TRACE Simon Ward (Nov 14)
    - Message not available
    - Re: RES: rating TRACE Robin Wood (Nov 14)
- Re: rating TRACE Seth Art (Nov 13)
  - Re: rating TRACE Manolis Mavrofidis (Nov 14)
  - Re: rating TRACE Simon Ward (Nov 14)
  - Re: rating TRACE Robin Wood (Nov 14)
- Re: rating TRACE Simon Ward (Nov 14)
  - Re: rating TRACE Simon Ward (Nov 14)