Web Application Security
Re: rating TRACE Nov 12 2014 10:16PM
Robin Wood (robin digi ninja)
On 12 November 2014 22:09, Ryan Dewhurst <ryandewhurst (at) gmail (dot) com [email concealed]> wrote:
> I added this link to that OWASP page a while back which explains the Java
> applet method -
> http://seckb.yehg.net/2012/06/xss-gaining-access-to-httponly-cookie.html

>
> Not sure if it still works though, haven't read that post in a while.

I'll have a look but if you can run Java applets there are a lot worse
attacks you can do beyond grabbing cookies.

> I'd need to double check but I think I give it a low.

General concensus on Twitter is low as well but I realised that if you
go with the basic CVSS and get a 6.0 then that is a PCI fail, a QSA
friend of ours told me that if that happens it can't be ignored and
they would be failed till it was fixed.

Imagine not being able to take payments because you've got TRACE
enabled and a tester just blindly trusted the CVSS basic calculator!

Robin

>
> On Wed, Nov 12, 2014 at 5:19 PM, Robin Wood <robin (at) digi (dot) ninj [email concealed]a> wrote:
>>
>> I've always given TRACE enabled a rating of low in my reports and I
>> know other testers who don't even bother reporting it but a client has
>> asked for a CVSS score for it and in Googling I found that Rapid 7
>> rate it as a 6.0, that is high end of medium.
>>
>> http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabled
>>
>> Looking at the metrics they give it does appear to be a reasonable
>> score and checking on the calculator I get a 5.8
>>
>>
>> http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:M/Au
:N/C:P/I:P/A:N%29
>>
>> I know newer browsers can't make TRACE requests through JavaScript but
>> there is a commeon the OWASP site about potentially using Java to make
>> the call. In my opinion if you've got Java running on a client machine
>> then TRACE isn't what you are likely to be thinking about.
>>
>> https://www.owasp.org/index.php/Cross_Site_Tracing
>>
>> I'm curious what others think, do you rate TRACE as low or medium?
>>
>> Robin
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus