Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 03 > 010306.html (Request Expert securityfocus.com Support)

Re: New Web Vulnerability - Cross-Site Tracing

From: Jeremiah Grossman <jeremiah(at)whitehatsec.com>
Date: Wed Jan 22 2003 - 19:25:01 EST

On Wed, 2003-01-22 at 15:52, xss-is-lame@hushmail.com wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----

> My objection is to the way that the whole issue was framed and presented. I realize that
everyone has to gloss things up a bit for marketting and dumb things down for laypeople, but I think that the press release, the whitepaper and particularly the ExtremeTech article all overstep what is excusable. They are sensational and exagerated.

We do not believe PR statement or white paper misrepresented anything. If fact we got the help from many known experts to make sure we did the best job we could and everything was as clear as we could make it. We also dont control media coverage.

> Some examples for the whitepaper and press release:
mailing lists. Is anyone else sick of seeing posts about XSS problems in PHP applications that runs on a total of five sites?

We are sick of seeing it as well. And XSS is in everything and near impossible to get rid of. Aka. plague.

Code Red was a plague. Melissa was a plague. In all the time XSS has been around, I only know of a few instances where it has actually been used. Do you have any evidence of an actual XSS epidemic taking place?

Well being a security expert in the field I can hardly comment on specifics but yes... it does happen. Often? Whats Often?

>
> "What sites currently have TRACE enabled?"
There really isn't a point in listing some big name sites that are vulnerable to this after you've stated that nearly everywhere has TRACE enabled. This also makes it look like the problem is focused on the server, when the more serious issue is obviously the ability to  use ActiveX objects to create raw HTTP requests.

Do you need help?X

We feel the problem is located at the server, but the client-side still has issues as well. We cover those in the paper. We mentioned site examples of who supports trace simply to identify who supports what. If would be pointless if we used a request method no one supports, wouldnt it?

> This is a laughable, sensationalist statement.

we dont feel it to be laughable... but..frightening.

There is *long* list of issues that have been reported since then that are many times more serious than this. Chunked encoding issues, the OpenSSL overflow, the CVS problem, etc. etc. etc. A year from now, how many credential sets do you think will actually have been compromised using this technique? Do you honestly think it's up in the Code Red and Nimda range?

We hope it doesnt get to that point surely. But you could take it up with who made the quote I guess.  

> This is creates a false implication: If you turn off TRACE, the security of the domain
credentials no longer resides in the security of the web browser. This is not true. The web browser can still give out credentials if attacked with normal XSS, ActiveX exploits, etc.

Indeed. but not using this method.

The web browser must be trusted to protect the credentials it uses, no matter what.

Do you need more help?X

to an extent. the smallest extent possible Im sure you'd agree.

> I hope that this clarifies my dissapointment with this issue. It's a nice hack, don't
get me wrong, but it's much less serious than many other issues that get reported with less hoopla and fluff.
>
> Feedback (negative or positive) is welcome.

Crystal clear. thank you.

Any comments on the actual exploit in which potential attack vectors might be present? Received on Wed Jan 22 21:17:48 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:47 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library