Re: TRACE used to increase the dangerous of XSS.

Jeremiah,

I'm sorry for all the heat you have taken for your white paper. Personally, I read two important points in it: One down-to-Earth advice for the web site administrator, and one rather abstract observation for the web programmer.

For the admin

If I understand the article correctly, credentials between a user and a web site may be stolen if at least _one_ of the following is true, as long as TRACE requests are honored:

• The site is open to Cross-site Scripting
• The user has a buggy browser

I often like to say that bugs in the browsers are the users' own fault, but those running web sites with money involved tend to do more than me to help their users, out of fear of being held economically responsible.

For the programmer

It reminds me a bit of a discussion about session hijacking a few months back. Some people argued that checking IP addresses is a solution to the problem. It is not. The root problem in session hijacking is that someone somehow gets access to another person's session ID. Checking IP addresses is just one of those add-ons.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Don't get me wrong: The add-ons give us defense in depth, but only if we try to solve the real problem as well.

Sverre.

-- 
shh@thathost.com		Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/	
http://nerdquiz.thathost.com/