Hosting Provided By

RE: TRACE used to increase the dangerous of XSS.

From: Thor Larholm <thor(at)pivx.com>
Date: Thu Jan 23 2003 - 12:01:14 EST

There's hardly anything to fix in the first place.

Being able to send TRACE requests to the server is not an issue, unless you don't trust the client to see its own data. The XSS hole in your web application, which is needed in the first place to carry out this attack, is your problem - stealing the cookie or the basic-authentication headers through legitimate HTTP requests are just the symptoms, the side effects.

It all comes down to what you trust the client to do in the first place. Being able to read a file from the victims machine after you have successfully abused a buffer overflow on it is not the problem, the buffer overflow is. It is impossible for the filesystem/webapplication to tell the difference between the legitimate requests coming from a client or the illegitimate requests being proxyed through the client by the attacker, and as such any restrictions will also restrict the legitimate requests.

Comon practice in secure installations is to only allow the features that you need, instead of restricting those that you don't want. Typical targets such as online brokers and banks will most likely already have their webservers restricted to a few HTTP request types, since they by nature don't trust their clients.

Thor

-----Original Message-----

From: Richard M. Smith [mailto:rms@computerbytesman.com] Sent: 23. januar 2003 16:26
To: 'Thor Larholm'; bugtraq@securityfocus.com; webappsec@securityfocus.com; vulnwatch@vulnwatch.org Subject: RE: TRACE used to increase the dangerous of XSS.

So how do you propose fixing this issue?

My solution is to remove TRACE support from XMLHTTP.

Do you need help?

Richard

-----Original Message-----

From: Thor Larholm [mailto:thor@pivx.com] Sent: Thursday, January 23, 2003 4:33 AM To: Richard M. Smith; bugtraq@securityfocus.com; webappsec@securityfocus.com; vulnwatch@vulnwatch.org Subject: RE: TRACE used to increase the dangerous of XSS.

This is not a bug in IE or XMLHTTP, and the cookie is not returned as part
of the HTTP response headers. It is returned as part of the HTTP response
body, which is exactly how TRACE works. Manipulating the HTTP response body
returned is the last thing XMLHTTP would, or should, do.

IE is not the only browser that has XMLHTTP, Mozilla implemented a fullyworking copy with the exact same behavior. Neither remove any Set-Cookie HTTP headers from the response exposed to scripting.

Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher

Latest PivX research: Multi-vendor Game Server DDoS Vulnerability http://www.pivx.com/press_releases/mk_mk001.html

-----Original Message-----

From: Richard M. Smith [mailto:rms@computerbytesman.com] Sent: 22. januar 2003 23:35
To: bugtraq@securityfocus.com; webappsec@securityfocus.com; vulnwatch@vulnwatch.org
Subject: RE: TRACE used to increase the dangerous of XSS.

Isn't this a bug in Internet Explorer? Shouldn't the Microsoft XMLHTTP ActiveX control be removing cookies from returned HTTP headers when a HTTP TRACE is done? I know that this already happens when a GET or a POST is done with XMLHTTP.

Do you need more help?

Richard M. Smith
http://www.ComputerBytesMan.com Received on Thu Jan 23 16:25:46 2003

This message: [ Message body ]
Next message: Jason Coombs: "RE: TRACE used to increase the dangerous of XSS."
Previous message: Peter Watkins: "Re: TRACE used to increase the dangerous of XSS."
Maybe in reply to: Jeremiah Grossman: "TRACE used to increase the dangerous of XSS."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:47 EDT