Web Application Security
Re: rating TRACE Nov 12 2014 10:26PM
Robin Wood (robin digi ninja)
On 12 November 2014 22:24, Andrew van der Stock <vanderaj (at) greebo (dot) net [email concealed]> wrote:
> Once you plug in the rest of CVSS and get past the base score, it turns out
> it's CVSS rating 1.0, which where I believe it to be.
>
> CVSS v2 Vector
> (AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C/CDP:N/TD:L/CR:ND/IR:L/AR:ND
)

Fair enough, 1.0 is a much more realistic value for it

> TRACE causes reflected XSS in really old browsers, which are not in common
> use today. I would still get folks to turn it off as it's attack surface
> reduction, but to concentrate on this one method, when DEBUG or a WebDav
> enabled for no good reason, this is the least of most folks' worries.

Same here, I recommend it is turned off as well.

Robin

> thanks
> Andrew
>
>
> On Thu, Nov 13, 2014 at 3:19 AM, Robin Wood <robin (at) digi (dot) ninj [email concealed]a> wrote:
>>
>> I've always given TRACE enabled a rating of low in my reports and I
>> know other testers who don't even bother reporting it but a client has
>> asked for a CVSS score for it and in Googling I found that Rapid 7
>> rate it as a 6.0, that is high end of medium.
>>
>> http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabled
>>
>> Looking at the metrics they give it does appear to be a reasonable
>> score and checking on the calculator I get a 5.8
>>
>>
>> http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:M/Au
:N/C:P/I:P/A:N%29
>>
>> I know newer browsers can't make TRACE requests through JavaScript but
>> there is a commeon the OWASP site about potentially using Java to make
>> the call. In my opinion if you've got Java running on a client machine
>> then TRACE isn't what you are likely to be thinking about.
>>
>> https://www.owasp.org/index.php/Cross_Site_Tracing
>>
>> I'm curious what others think, do you rate TRACE as low or medium?
>>
>> Robin
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus