RE: TRACE used to increase the dangerous of XSS.

I just finished reading this so-called whitepaper and the press release, and all I can say is hyped, sensationalised snakeoil.

The HttpOnly cookie feature, a proprietary Microsoft extension designed to mitigate a single aspect of XSS, can be circumvented in myriads of ways. In fact, reading the HTTP response in any other way than through the document.cookie property immediately exposed through JS will return the cookie to you. Calling from JS to a Java applet that in turn parses a HTTP response, using a Flash movie (or most any other plugin) or even needlessly complicating matters by parsing the BODY of a TRACE response received through XMLHTTP - such as this 'whitepaper' suggests.

By design, HttpOnly makes the cookie available only through the HTTP headers - which, among many others, the XMLHTTP control can read.

What we end up with from WhiteHat Security is a way to circumvent the HttpOnly cookie feature in IE6SP1, nothing else. In itself, worthy of a note in a roundup of browser problems or a comment in a reply to the posting announcing the HttpOnly feature on Bugtraq - but hardly a whitepaper, pressrelease and blurbs such as comparing this to Code Red and Nimda or calling this a flaw in all web servers worldwide. This is simply not "a new class of web-app-sec attack" or a flaw in TRACE, as hyped by WhiteHat Security.

System administrators should most definitely not waste their precious time on implementing the silly workarounds suggested, such as disabling TRACE/TRACK requests. The one, and only, impact the discovery from WhiteHat Security has is that it re-enables cookie reading from JS despite if you had already cared to specifically alter your webapplication to accomodate this.

All the boojah and fuss about not requiring an actual XSS in the webapplication or being able to impose XSS on arbitrary foreign domains, factors that would indeed be a cause of concern, is utterly and completely unrelated to the findings of WhiteHat Security. These are mere demonstrations of already publicly known unpatched vulnerabilities in Internet Explorer ( of which there are currently 19 - http://www.pivx.com/larholm/unpatched/ ).

WhiteHat Security paired a minor low-impact notice of their own with existing proof-of-concept code from several critical high-impact vulnerabilities discovered, and long disclosed, by thirdparty researchers, dubbed it their own and wrote up a fancy press release filled with inaccuracies announcing a indifferent 'whitepaper' scathered with obscure irrelevancies.

In short, snakeoil.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher

Latest PivX research: Multi-vendor Game Server DDoS Vulnerability http://www.pivx.com/press_releases/mk_mk001.html

-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah@whitehatsec.com] Sent: 22. januar 2003 21:33
To: bugtraq@securityfocus.com; webappsec@securityfocus.com; vulnwatch@vulnwatch.org
Subject: TRACE used to increase the dangerous of XSS.

WhiteHat Security has released a new white paper discussing a new class of web-app-sec attack (XST) which potentially affects all web servers supporting TRACE.

The white paper explains all the detailed technical results we have found so far. We are fairly certain this particular issue will spark much debate and encourage those interested to read and comment.

White Paper Mirrors:

http://www.betanews.com/whitehat/WH-WhitePaper_XST_ebook.pdfhttp://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdfhttp://www.boarder.org/WH-WhitePaper_XST_ebook.pdfhttp://www.forumgalaxy.com/whmirror/WhitePaper_screen.pdf

Press Release
http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt Received on Thu Jan 23 10:22:44 2003