Web Application Security
Re: RES: rating TRACE Nov 13 2014 11:59AM
Robin Wood (robin digi ninja) (2 replies)
Re: RES: rating TRACE Nov 14 2014 01:13PM
Simon Ward (simon westpoint ltd uk)
Re: RES: rating TRACE Nov 13 2014 12:57PM
Martino Dell'Ambrogio (tillo tillo ch)
This happens with any vulnerability and it's the reason we use our own
rating system, expose all of the variables to the customer and
eventually discuss scale changes or exceptions according to their
security model.

Most rating systems are flawed because they try to cover all situations,
but situations change.
This is a recurring problem regarding certifications, because they all
rely on some fixed standard.

Some scales can change within CVSSv2 thanks to the extended version, but
it's not enough.
Last time I checked further scale changes were not [publicly] discussed
for CVSSv3.

By the way, there are other critical flaws involving most risk rating
systems.
Think about serialized, partial vulnerabilities: most vulnerabilities
(or event flaws that are not considered vulnerabilities because there is
no direct impact) can be combined to form a much more critical
vulnerability.
As far as I know, there is no current system able to address this need.

Martino Dell'Ambrogio
Security Auditor
Web: http://www.tillo.ch/
Email: tillo (at) tillo (dot) ch [email concealed]

On 11/13/2014 12:59 PM, Robin Wood wrote:
> The general consensus seems to be low, apparently a QualysGuard
> scanner (which is ASV approved I've been told) rates it as
> informational and some, like Vivir rate it as medium.
>
> Such a simple issue and such a wide discrepancy of reporting levels
> all with their own justifications. Makes me feel sorry for end users
> who can have two companies test their systems and get two completely
> different outlooks on their risk level each with the tester being able
> to justify their findings. This may be OK for a company who has staff
> who can decode the findings and rework the levels to their own
> business but to a company who simply outsources the test and then acts
> on the results they are reliant on what they are told.
>
> Moving from TRACE to more complex or harder to understand bugs just
> makes this worse and more subjective. I wish I could suggest a way to
> fix it so everyone was rating based on the same levels. I know some
> people aren't optimistic about CVSSv3 being able to help fix it, I've
> not looked at it yet but lets hope it moves us a step closer. Anyone
> else have any ideas?
>
> Robin
>
> On 13 November 2014 02:04, vivir dolson <kcah4evil (at) gmail (dot) com [email concealed]> wrote:
>> I have always rated TRACE as medium security issue, as this might be a
>> vector for other security attacks. Besides that as a wisest security
>> principles says what is unused should be disabled. Hence if you are not
>> going to use TRACE method then in my opinion it should be switched off. It
>> will prevent your app not only against XST, but also against undiscovered
>> vulnerabilities related to this channel, which can be found in the future.
>>
>> Dayanand
>>
>> On 13-Nov-2014 7:09 AM, "Fábio Soto" <fabio (at) andradesoto.com (dot) br [email concealed]> wrote:
>>> I'm rating it as low, and double check it, because it's commonly a
>>> false-positive.
>>>
>>>
>>> -----Mensagem original-----
>>> De: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] Em
>>> nome de Robin Wood
>>> Enviada em: quarta-feira, 12 de novembro de 2014 14:19
>>> Para: webappsec (at) securityfocus (dot) com [email concealed]
>>> Assunto: rating TRACE
>>>
>>> I've always given TRACE enabled a rating of low in my reports and I know
>>> other testers who don't even bother reporting it but a client has asked for
>>> a CVSS score for it and in Googling I found that Rapid 7 rate it as a 6.0,
>>> that is high end of medium.
>>>
>>> http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabled
>>>
>>> Looking at the metrics they give it does appear to be a reasonable score
>>> and checking on the calculator I get a 5.8
>>>
>>>
>>> http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:M/Au
:N/C:P/I:P/A:N%29
>>>
>>> I know newer browsers can't make TRACE requests through JavaScript but
>>> there is a commeon the OWASP site about potentially using Java to make the
>>> call. In my opinion if you've got Java running on a client machine then
>>> TRACE isn't what you are likely to be thinking about.
>>>
>>> https://www.owasp.org/index.php/Cross_Site_Tracing
>>>
>>> I'm curious what others think, do you rate TRACE as low or medium?
>>>
>>> Robin
>>>
>>>
>>>
>>> This list is sponsored by Cenzic
>>> --------------------------------------
>>> Let Us Hack You. Before Hackers Do!
>>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>>> Request Yours Now!
>>> http://www.cenzic.com/2009HClaunch_Securityfocus
>>> --------------------------------------
>>>
>>>
>>>
>>>
>>> This list is sponsored by Cenzic
>>> --------------------------------------
>>> Let Us Hack You. Before Hackers Do!
>>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>>> Request Yours Now!
>>> http://www.cenzic.com/2009HClaunch_Securityfocus
>>> --------------------------------------
>>>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>

0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ? o0?30?  ËO0
 *?H?÷
0?1 0 UIL10U

StartCom Ltd.1+0)U "Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0
141104221352Z
151105132249Z0S10U
R1A18OeSEdOjcT3k10U tillo (at) tillo (dot) ch1 [email concealed]0 *?H?÷
 tillo (at) tillo (dot) ch0 [email concealed]?"0
 *?H?÷
?0?
?Á«ñ¥N?ß%[Âxi¹g?ÕÇîЁ??ö ÄaO¶z?çNÝ?*?jߝò?cy5ÿHÛa5ÆÊfãê_¿+Üévsî?
j±;EæþÔ#ëõúç>×vòGÅ󲬺&¥Ëcó°R* "D?D#?G¢õ%Re
Ï>ײ±É.Äl±èí1ü?î~­?,D´RÓÀµ#ðÚÚÓê´
5ª+U?
Ú?Ù)ô~¢?¯±ÙÕ© Å:9éρª¿ºñ=I?zÚ|? Ôpiü\Ë0+ R­9oµ?;BKÌÇwWÒ, BëÖ/GQ?^< ?ò?X¯¬Z¢?`ì¨ðy¿S¡Y0[[£?Ô0?Ð0 U00 U°0U%0++0U×?Úß{#³ê
ÐeûäéíÜ;ß0U#0?Srí??àÚË\|~?5NòÔ¸Q?0U0tillo (at) tillo (dot) ch0 [email concealed]?
LU ?C0??0?; +µ70?*0.+"http://www.startssl.com/polic
y.pdf0÷+0ê0' StartCom Certification Authority0¾This certificate was issued according to the Class 1 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations.06U/0-0+ ) '?%http://crl.startssl.com/crtu1-crl.crl0?
+009+0?-http://ocsp.startssl.com/sub/class1/client/c
a0B+0?6http://aia.startssl.com/certs/sub.class1.client.ca.crt0#
U0?http://www.startssl.com/0
 *?H?÷
?¥ä%çÜ]*fó¬<[â?àU)ó¾?ªàÜd0?ð?§mâ?¸ Iýu¸fQ¼E?UÙ]÷À®?k[?ûÜ:wöÆ ¨8¬??,PQôÁ3ý\²;3t?¾1JC¼û? ÃÅIÁ* +ªP?éC(ïÀ¤Jd?õ²d¦S\Õ/Nxér¸Ñ+Ü9òõõ7Mñxæ-+?ö?zAÁý-fõ´ùJß?,ð$ªEL?T
úTع´{êTW¡·84è8ØvÁâ×?è ñÛ£?§Cf?'?è?ÎÃr?dº?²i?Kõ °WW©V,?#éè0?40? 0
 *?H?÷
0}1 0 UIL10U

StartCom Ltd.1+0)U "Secure Digital Certificate Signing1)0'U StartCom Certification Authority0
071024210155Z
171024210155Z0?1 0 UIL10U

StartCom Ltd.1+0)U "Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA0?"0
 *?H?÷
?0?
?Ç ?ÌÎ-ر)¤.«?¾?2??¦?A?UG­Ôoêê¿#Gá
ï?B|N?D¢§»ÌÏRpºM-²õB?¥=oí?Í-êweÑ5¹JÿQpa>O??.Û#??âêÂû.Ïßý_µ<¡ÆüV?ÿ

[~â*»?*ÌpØz¨?~Æ3¡WåGÍ.á?????ÍMl?r[<CÏe¡6û«Èf?þ¿qàö¹?×õO?é"?uÆÐ
xf«WN?#uù¯ýi¹­ÅcÂgkÿãv$²®´?Lb¤%æëýÿáæßy??`¬ÍØÿØ_×{`ý?óxK'G±N§ë?
£?­0?©0Uÿ0ÿ0Uÿ0USrí??àÚË\|~?5Nò
Ô¸Q?0U#0?N ï¤@[¥i?0Ê4hCÐA®ò0f+Z0X0'+0?http:
//ocsp.startssl.com/ca0-+0?!http://www.startssl.com/sfsca.crt0[
UT0R0' % #?!http://www.startssl.com/sfsca.crl0' % #?!http://crl.star
tssl.com/sfsca.crl0?U y0w0u +µ70f0.+"http://www.startssl.com/policy.pdf04
+(http://www.startssl.com/intermediate.pdf0
 *?H?÷
?
?}x«,\¸c?^®¹#wM¡qØ}?¼>UK/ú­^yÛX֏y ÷ ?ð¨fÊrMIŲéB6Û1ymQó¸??ÆҨݬZ?µ¶0?¶?&äø;½@ú?#13qÛ??& åÈÌ¢?öÔò?ûo? 6Ørú?_?;­GO>*Iô(  74·?ä¹XS1r3¹?)!úÇ?ºy²®6Ko²þ¡ÄtË?#
_Ïw?SÝrÒôâ¦
ÿ;¾B
AÃDp?(fÏôs?ÏÛ÷½ áíä°·6%??¯¬±.W0J3?:b?Cô<·8t X»Ò¹1?<øüCÓänñ=°?Ïìãt==äwS?¨âT?º¾?êú~?ÔÐ\ñwkBðfº|1?ïµ5¸¾ÓzU?æP)±°(
?º?Iôéj?ÅVBø?!?øÑÒOfI=b?Íbé\4?-*em?/нSJm¾7çËNú?ÎíÃ[?]'þª@Ú½¦ù D9
?Kr>ù£ªR?é7/¸ñ?|?oõãì^I@ÆÙ¼'±?Pa$ z?ä9ìa'Lò)??(
¼IÝó}võöc H]ÕÛ¸¨D¦ãýÂ*ì?Wº}
mæ>QÓ»ØÆ|?C.Õ(,?lÌÎQâ1?Ý0?Ù0?0?1 0 UIL10U

StartCom Ltd.1+0)U "Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA ËO0 + ?0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
141113125732Z0# *?H?÷
 1?֍ ð/O¤+ù1?é bë¨?0l *?H?÷
 1_0]0  `?He*0  `?He0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0¥ +?71?0?0?1 0 UIL10U

StartCom Ltd.1+0)U "Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA ËO0§ *?H?÷
  1? ?0?1 0 UIL10U

StartCom Ltd.1+0)U "Secure Digital Certificate Signing1806U/StartCom Class 1 Primary Intermediate Client CA ËO0
 *?H?÷
?@@yxÇáM?ç3,9v=¬?5#÷sÈz"Ú@ùc"D?xȺ§?m?)ó?bÊh;Ê'tW»%K> ~?´
¼?²??Ì?Ð?ÿ­
_À#+Ä8 YjNYù `Õ\Ɛ$ø'?{0 Ö?ñ8?k?"²là)4?í$?#+¢NF??á¬þ]sIK q&-)dÕ-*Äø?Xþ¥Ìö?à³Mgb?ûÊ×]óóøóÛy}$Ӎè?;?ѸÏ~èwkfÜZw~°»?û£&r
?¿s¯9ZGß¥¹]·ýøÁÚÇ8?µY
/?ö;\íDx?òE
c>"j?

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus