Web Application Security
Re: RES: rating TRACE Nov 13 2014 11:59AM
Robin Wood (robin digi ninja) (2 replies)
The general consensus seems to be low, apparently a QualysGuard
scanner (which is ASV approved I've been told) rates it as
informational and some, like Vivir rate it as medium.

Such a simple issue and such a wide discrepancy of reporting levels
all with their own justifications. Makes me feel sorry for end users
who can have two companies test their systems and get two completely
different outlooks on their risk level each with the tester being able
to justify their findings. This may be OK for a company who has staff
who can decode the findings and rework the levels to their own
business but to a company who simply outsources the test and then acts
on the results they are reliant on what they are told.

Moving from TRACE to more complex or harder to understand bugs just
makes this worse and more subjective. I wish I could suggest a way to
fix it so everyone was rating based on the same levels. I know some
people aren't optimistic about CVSSv3 being able to help fix it, I've
not looked at it yet but lets hope it moves us a step closer. Anyone
else have any ideas?

Robin

On 13 November 2014 02:04, vivir dolson <kcah4evil (at) gmail (dot) com [email concealed]> wrote:
> I have always rated TRACE as medium security issue, as this might be a
> vector for other security attacks. Besides that as a wisest security
> principles says what is unused should be disabled. Hence if you are not
> going to use TRACE method then in my opinion it should be switched off. It
> will prevent your app not only against XST, but also against undiscovered
> vulnerabilities related to this channel, which can be found in the future.
>
> Dayanand
>
> On 13-Nov-2014 7:09 AM, "Fábio Soto" <fabio (at) andradesoto.com (dot) br [email concealed]> wrote:
>>
>> I'm rating it as low, and double check it, because it's commonly a
>> false-positive.
>>
>>
>> -----Mensagem original-----
>> De: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] Em
>> nome de Robin Wood
>> Enviada em: quarta-feira, 12 de novembro de 2014 14:19
>> Para: webappsec (at) securityfocus (dot) com [email concealed]
>> Assunto: rating TRACE
>>
>> I've always given TRACE enabled a rating of low in my reports and I know
>> other testers who don't even bother reporting it but a client has asked for
>> a CVSS score for it and in Googling I found that Rapid 7 rate it as a 6.0,
>> that is high end of medium.
>>
>> http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabled
>>
>> Looking at the metrics they give it does appear to be a reasonable score
>> and checking on the calculator I get a 5.8
>>
>>
>> http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:M/Au
:N/C:P/I:P/A:N%29
>>
>> I know newer browsers can't make TRACE requests through JavaScript but
>> there is a commeon the OWASP site about potentially using Java to make the
>> call. In my opinion if you've got Java running on a client machine then
>> TRACE isn't what you are likely to be thinking about.
>>
>> https://www.owasp.org/index.php/Cross_Site_Tracing
>>
>> I'm curious what others think, do you rate TRACE as low or medium?
>>
>> Robin
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: RES: rating TRACE Nov 14 2014 01:13PM
Simon Ward (simon westpoint ltd uk)
Re: RES: rating TRACE Nov 13 2014 12:57PM
Martino Dell'Ambrogio (tillo tillo ch)


 

Privacy Statement
Copyright 2010, SecurityFocus