RE: TRACE used to increase the dangerous of XSS. Jan 23 2003 09:10AM
Thor Larholm (thor pivx com)
I just finished reading this so-called whitepaper and the press release, and
all I can say is hyped, sensationalised snakeoil.

The HttpOnly cookie feature, a proprietary Microsoft extension designed to
mitigate a single aspect of XSS, can be circumvented in myriads of ways. In
fact, reading the HTTP response in any other way than through the
document.cookie property immediately exposed through JS will return the
cookie to you. Calling from JS to a Java applet that in turn parses a HTTP
response, using a Flash movie (or most any other plugin) or even needlessly
complicating matters by parsing the BODY of a TRACE response received
through XMLHTTP - such as this 'whitepaper' suggests.

By design, HttpOnly makes the cookie available only through the HTTP
headers - which, among many others, the XMLHTTP control can read.

What we end up with from WhiteHat Security is a way to circumvent the
HttpOnly cookie feature in IE6SP1, nothing else. In itself, worthy of a note
in a roundup of browser problems or a comment in a reply to the posting
announcing the HttpOnly feature on Bugtraq - but hardly a whitepaper,
pressrelease and blurbs such as comparing this to Code Red and Nimda or
calling this a flaw in all web servers worldwide. This is simply not "a new
class of web-app-sec attack" or a flaw in TRACE, as hyped by WhiteHat

System administrators should most definitely not waste their precious time
on implementing the silly workarounds suggested, such as disabling
TRACE/TRACK requests. The one, and only, impact the discovery from WhiteHat
Security has is that it re-enables cookie reading from JS despite if you had
already cared to specifically alter your webapplication to accomodate this.

All the boojah and fuss about not requiring an actual XSS in the
webapplication or being able to impose XSS on arbitrary foreign domains,
factors that would indeed be a cause of concern, is utterly and completely
unrelated to the findings of WhiteHat Security. These are mere
demonstrations of already publicly known unpatched vulnerabilities in
Internet Explorer ( of which there are currently 19 -
http://www.pivx.com/larholm/unpatched/ ).

WhiteHat Security paired a minor low-impact notice of their own with
existing proof-of-concept code from several critical high-impact
vulnerabilities discovered, and long disclosed, by thirdparty researchers,
dubbed it their own and wrote up a fancy press release filled with
inaccuracies announcing a indifferent 'whitepaper' scathered with obscure

In short, snakeoil.

Thor Larholm
PivX Solutions, LLC - Senior Security Researcher

Latest PivX research: Multi-vendor Game Server DDoS Vulnerability

-----Original Message-----
From: Jeremiah Grossman [mailto:jeremiah (at) whitehatsec (dot) com [email concealed]]
Sent: 22. januar 2003 21:33
To: bugtraq (at) securityfocus (dot) com [email concealed]; webappsec (at) securityfocus (dot) com [email concealed];
vulnwatch (at) vulnwatch (dot) org [email concealed]
Subject: TRACE used to increase the dangerous of XSS.

WhiteHat Security has released a new white paper discussing a new class
of web-app-sec attack (XST) which potentially affects all web servers
supporting TRACE.

The white paper explains all the detailed technical results we have
found so far. We are fairly certain this particular issue will spark
much debate and encourage those interested to read and comment.

White Paper Mirrors:

Press Release

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus