Web Application Security
Re: rating TRACE Nov 12 2014 10:23PM
Robin Wood (robin digi ninja) (1 replies)
On 12 November 2014 22:20, Ryan Dewhurst <ryandewhurst (at) gmail (dot) com [email concealed]> wrote:
> The Java applet thing is because it can send a cross-domain TRACE request.
> You would need the victim to visit a site you control first, which would
> then send the cross-domain TRACE to the target site, revealing your HTTPOnly
> cookies from the target site.

I get that but they would have to allow the applet to run which can
open them up to a lot more serious attack than stealing cookies

> I think you can lower the CVSS score if you do not agree with it but you
> need to add a note saying that you have lowered it and your reasons why. I'm
> not too sure about this though, but something I've heard.

Don't know, I'm not a QSA and don't pretend to be one.

Robin

> On Wed, Nov 12, 2014 at 11:16 PM, Robin Wood <robin (at) digi (dot) ninj [email concealed]a> wrote:
>>
>> On 12 November 2014 22:09, Ryan Dewhurst <ryandewhurst (at) gmail (dot) com [email concealed]> wrote:
>> > I added this link to that OWASP page a while back which explains the
>> > Java
>> > applet method -
>> > http://seckb.yehg.net/2012/06/xss-gaining-access-to-httponly-cookie.html

>> >
>> > Not sure if it still works though, haven't read that post in a while.
>>
>> I'll have a look but if you can run Java applets there are a lot worse
>> attacks you can do beyond grabbing cookies.
>>
>> > I'd need to double check but I think I give it a low.
>>
>> General concensus on Twitter is low as well but I realised that if you
>> go with the basic CVSS and get a 6.0 then that is a PCI fail, a QSA
>> friend of ours told me that if that happens it can't be ignored and
>> they would be failed till it was fixed.
>>
>> Imagine not being able to take payments because you've got TRACE
>> enabled and a tester just blindly trusted the CVSS basic calculator!
>>
>> Robin
>>
>> >
>> > On Wed, Nov 12, 2014 at 5:19 PM, Robin Wood <robin (at) digi (dot) ninj [email concealed]a> wrote:
>> >>
>> >> I've always given TRACE enabled a rating of low in my reports and I
>> >> know other testers who don't even bother reporting it but a client has
>> >> asked for a CVSS score for it and in Googling I found that Rapid 7
>> >> rate it as a 6.0, that is high end of medium.
>> >>
>> >> http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabled
>> >>
>> >> Looking at the metrics they give it does appear to be a reasonable
>> >> score and checking on the calculator I get a 5.8
>> >>
>> >>
>> >>
>> >> http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:M/Au
:N/C:P/I:P/A:N%29
>> >>
>> >> I know newer browsers can't make TRACE requests through JavaScript but
>> >> there is a commeon the OWASP site about potentially using Java to make
>> >> the call. In my opinion if you've got Java running on a client machine
>> >> then TRACE isn't what you are likely to be thinking about.
>> >>
>> >> https://www.owasp.org/index.php/Cross_Site_Tracing
>> >>
>> >> I'm curious what others think, do you rate TRACE as low or medium?
>> >>
>> >> Robin
>> >>
>> >>
>> >>
>> >> This list is sponsored by Cenzic
>> >> --------------------------------------
>> >> Let Us Hack You. Before Hackers Do!
>> >> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> >> Request Yours Now!
>> >> http://www.cenzic.com/2009HClaunch_Securityfocus
>> >> --------------------------------------
>> >>
>> >
>
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
RE: rating TRACE Nov 12 2014 10:38PM
Kenneth Kron (kenneth kron truvantis com)


 

Privacy Statement
Copyright 2010, SecurityFocus