Web Application Security
rating TRACE Nov 12 2014 04:19PM
Robin Wood (robin digi ninja) (3 replies)
I've always given TRACE enabled a rating of low in my reports and I
know other testers who don't even bother reporting it but a client has
asked for a CVSS score for it and in Googling I found that Rapid 7
rate it as a 6.0, that is high end of medium.

http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabled

Looking at the metrics they give it does appear to be a reasonable
score and checking on the calculator I get a 5.8

http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:M/Au
:N/C:P/I:P/A:N%29

I know newer browsers can't make TRACE requests through JavaScript but
there is a commeon the OWASP site about potentially using Java to make
the call. In my opinion if you've got Java running on a client machine
then TRACE isn't what you are likely to be thinking about.

https://www.owasp.org/index.php/Cross_Site_Tracing

I'm curious what others think, do you rate TRACE as low or medium?

Robin

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: rating TRACE Nov 14 2014 01:41PM
Simon Ward (simon westpoint ltd uk)
Re: rating TRACE Nov 13 2014 04:13PM
Seth Art (sethsec gmail com) (3 replies)
Re: rating TRACE Nov 14 2014 04:45PM
Manolis Mavrofidis (mmavrofides gmail com)
Re: rating TRACE Nov 14 2014 12:57PM
Simon Ward (simon westpoint ltd uk)
Re: rating TRACE Nov 14 2014 08:48AM
Robin Wood (robin digi ninja)
RES: rating TRACE Nov 12 2014 11:33PM
Fábio Soto (fabio andradesoto com br)


 

Privacy Statement
Copyright 2010, SecurityFocus