Re: http TRACE option

From: Trancer (mtrancer@gmail.com)
Date: Sat Jan 19 2008 - 19:39:47 EST


 From rfc2616:

"The TRACE method is used to invoke a remote, application-layer loop-
back of the request message. The final recipient of the request SHOULD
reflect the message received back to the client as the entity-body of a
200 (OK) response. The final recipient is either the origin server or
the first proxy or gateway to receive a Max-Forwards value of zero (0)
in the request (see section 14.31). A TRACE request MUST NOT include an
entity."

http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

The HTTP TRACE method can risk a web application using HttpOnly cookies
to protect against cross-site scripting cookie-theft attacks. Exploiting
the TRACE method allows an attacker to steal cookies despite the
HttpOnly option.
Jeremiah Grossman posted a paper about this kind of attack (cross-site
tracing):
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

pentestr wrote:
> Hi,
> what is the issue if TRACE option is enabled in web servers ? Nessus
> results always display it as warning.
> any idea...
>
> Thanks in advance.
> Rgds.
> P.T.
>

-- 
Trancer
0nly Human.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:20 EDT