Hosting Provided By

RE: TRACE used to increase the dangerous of XSS.

From: Thor Larholm <thor(at)pivx.com>
Date: Thu Jan 23 2003 - 04:33:00 EST

This is not a bug in IE or XMLHTTP, and the cookie is not returned as part of the HTTP response headers. It is returned as part of the HTTP response body, which is exactly how TRACE works. Manipulating the HTTP response body returned is the last thing XMLHTTP would, or should, do.

IE is not the only browser that has XMLHTTP, Mozilla implemented a fullyworking copy with the exact same behavior. Neither remove any Set-Cookie HTTP headers from the response exposed to scripting.

Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher

Latest PivX research: Multi-vendor Game Server DDoS Vulnerability http://www.pivx.com/press_releases/mk_mk001.html

-----Original Message-----
From: Richard M. Smith [mailto:rms@computerbytesman.com] Sent: 22. januar 2003 23:35
To: bugtraq@securityfocus.com; webappsec@securityfocus.com; vulnwatch@vulnwatch.org
Subject: RE: TRACE used to increase the dangerous of XSS.

Isn't this a bug in Internet Explorer? Shouldn't the Microsoft XMLHTTP ActiveX control be removing cookies from returned HTTP headers when a HTTP TRACE is done? I know that this already happens when a GET or a POST is done with XMLHTTP.

Richard M. Smith
http://www.ComputerBytesMan.com Received on Thu Jan 23 10:23:17 2003

This message: [ Message body ]
Next message: H D Moore: "Re: New Web Vulnerability - Cross-Site Tracing"
Previous message: Thor Larholm: "RE: TRACE used to increase the dangerous of XSS."
Maybe in reply to: Jeremiah Grossman: "TRACE used to increase the dangerous of XSS."
Next in thread: Richard M. Smith: "RE: TRACE used to increase the dangerous of XSS."
Reply: Richard M. Smith: "RE: TRACE used to increase the dangerous of XSS."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:47 EDT

Do you need help?