RE: TRACE used to increase the dangerous of XSS.

On Wed, 2003-01-22 at 18:06, Richard M. Smith wrote:
> This is a very cool find by Jeremiah.

thank you. I appreciate it.

> However, XMLHTTP ActiveX control shouldn't support the TRACE method.

Hmm maybe, maybe not. Been thinking about this a lot as you can imagine.:)

Denying the simple TRACE method from XMLHTTP would certainly mitigate many issues instantly. Or at least marking that control not safe for scripting would help as well. However XMLHTTP isnt the only Active HTTP API. There are also other client-side technologies that could potentially yield the same power as XMLHTTP and perform the attack as well.

Like Java, Flash, or anything else with access over HTTP. I havent 100% confirmed HTTP control within Flash or Java from the browser, but I think their Macromedia's new stuff is really powerful at the HTTP protocol level.  

> XMLHTTP already removes incoming cookies and doesn't allow JavaScript to

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

That very interesting that they do that actually. Wouldnt have guessed it beforehand. Received on Wed Jan 22 23:14:06 2003