RE: TRACE used to increase the dangerous of XSS.

This is a very cool find by Jeremiah.

However, XMLHTTP ActiveX control shouldn't support the TRACE method. That's the bug. It's pretty simple issue actually.

XMLHTTP already removes incoming cookies and doesn't allow JavaScript to set outgoing cookies in GET requests. The folks at Microsoft already understand the basic issue behind this problem. They just forgot about the TRACE method.

Richard

-----Original Message-----
From: Jordan Frank [mailto:jordanf@shaw.ca] Sent: Wednesday, January 22, 2003 8:46 PM To: webappsec@securityfocus.com
Cc: Richard M. Smith
Subject: Re: TRACE used to increase the dangerous of XSS.

This is not a bug in Internet Explorer. When an HTTP TRACE is performed, the
entire request, headers and all, is echoed back as the CONTENT BODY...that's
the key. The responseText property represents the body of the response, as a
string. Even if it didn't, the XMLHTTP object offers you access to the headers through the getAllResponseHeaders and getResponseHeader methods. So
the XMLHTTP object is acting exactly as it's supposed to. Damnit, can't peg
this one on microsoft...

I initially wanted to post some message to the mailing lists talking about
how this is overhyped nonesense, and offers nothing new other than a different way to get cookies. Then I read the paper and thought about it for
a while, and realized that this is in fact something "somewhat" revolutionary. Maybe I'm a dummy, but I have yet to see any well-publicized
way to get the headers that will be sent to a webserver along with a request. Yes, we could access the cookies through script, and we could use
XMLHTTP to issue a GET request and look at the Set-Cookie header, but we didn't have a way to grab the Authentication information from the headers,
as they were only sent to the webserver, and not echoed back to the client.
So we needed a proxy, or a packet sniffer. Now we have a way of getting the
headers that are sent from the client to the server. That is useful, and new
(to me at least). If you can show me another way to get the authentication
information from the client through javascript then please let me know (maybe i'm missing something really simple, I'm just a kid).

I think the problem was that this was a bit overhyped, it was misunderstood
(and therefore misreported) by a few news organizations, and it focused mostly on cookies. I think it's way cooler that we can steal the authentication credentials. But why does everyone get so up in arms about
the stupid issues, and ignore the technical merit? Can't we end the bickering and just admit that this is a new technique that we did not know
about, and now we do. Damnit, those WhiteHat Security guys thought of something we didn't...

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Anyways, props to WhiteHat Security for sharing their findings. This adds
another tool to my arsenal. Damnit, that kid's gonna hack my hotmail account...

jordan

• Original Message ----- From: "Richard M. Smith" <rms@computerbytesman.com> To: <bugtraq@securityfocus.com>; <webappsec@securityfocus.com>; <vulnwatch@vulnwatch.org> Sent: Wednesday, January 22, 2003 2:34 PM Subject: RE: TRACE used to increase the dangerous of XSS.

| Isn't this a bug in Internet Explorer? Shouldn't the Microsoft
XMLHTTP
| ActiveX control be removing cookies from returned HTTP headers when a
class
| of web-app-sec attack (XST) which potentially affects all web servers
Received on Wed Jan 22 23:12:41 2003