Re: New Web Vulnerability - Cross-Site Tracing (fwd)

On Wed, 2003-01-22 at 15:25, Marc Slemko wrote:

> The only new thing here is that this provides a way to get HTTP

Ok... the example you specify definitely achieves the same end this new attack does. But it does so without using any of the bugs you assume in your examples.

Comparing apples to oranges really.

Also, I dont recall ever seeing a browser bug where you could compromise the HTTP Basic Auth creds without have access to a target server. Maybe if we stretch it to URL trickery ok. But this was not done using purely JavaScript as the paper clearly states.

> The reality is that there are many cases where the server returns
Any other request methods that do that I am not aware of?

> Embedding session IDs in returned links is one (very commonly

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I definitely see your point and its valid. There are indeed many ways to get the web application to echo credentials which are not stored security. Such as URL, etc. What we are attempting to relate is that for your type of attack to work, you NEED a web application that is in some way flawed.

What we propose is that you no long NEED a web application to be flawed, simply a supporting TRACE web server and the creds are yours.

> The bottom line: Why do you even need to steal the user's
because thats all you need... nothing more. and supported in all browsers. NOT relying on a bug in this manner. Only need a bug to increase the exposure.

> And having access to those two things is exactly what
ok, maybe the white paper wasnt clear enough. The essential pieces that are require for full exploitation as I define is... script on a page, domain-restriction-bypass flaw (not essential), and a trace supporting target.

We are not assuming or requiring the browser to be flawed any more than that. Again, I see your point... if you can grab a file off their machine... what would be the point of all this. To state once more... this is not required.

I also apologize if you took the media coverage to be a bit much. We dont control the media however, surely Marc from experience you know that. Received on Wed Jan 22 20:33:57 2003