Web Application Security
rating TRACE Nov 12 2014 04:19PM
Robin Wood (robin digi ninja) (3 replies)
Re: rating TRACE Nov 14 2014 01:41PM
Simon Ward (simon westpoint ltd uk)
Re: rating TRACE Nov 13 2014 04:13PM
Seth Art (sethsec gmail com) (3 replies)
Re: rating TRACE Nov 14 2014 04:45PM
Manolis Mavrofidis (mmavrofides gmail com)
I'm going to be a little bit off topic.
The problem with TRACE, and other low-rated vulnerabilities, expands
beyond the ratings because you never know how an attacker is going to
use TRACE or any other vulnerability to escalate his attack vector.

On 13 November 2014 18:13, Seth Art <sethsec (at) gmail (dot) com [email concealed]> wrote:
> Robin,
>
> If you are lucky, it might be a false positive. I have seen cases
> where OPTIONS tells you that TRACE is supported, but if you try the
> TRACE method, you get a 501 Not Implemented. Worth a try.
>
> Seth
>
> On Wed, Nov 12, 2014 at 11:19 AM, Robin Wood <robin (at) digi (dot) ninj [email concealed]a> wrote:
>> I've always given TRACE enabled a rating of low in my reports and I
>> know other testers who don't even bother reporting it but a client has
>> asked for a CVSS score for it and in Googling I found that Rapid 7
>> rate it as a 6.0, that is high end of medium.
>>
>> http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabled
>>
>> Looking at the metrics they give it does appear to be a reasonable
>> score and checking on the calculator I get a 5.8
>>
>> http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:M/Au
:N/C:P/I:P/A:N%29
>>
>> I know newer browsers can't make TRACE requests through JavaScript but
>> there is a commeon the OWASP site about potentially using Java to make
>> the call. In my opinion if you've got Java running on a client machine
>> then TRACE isn't what you are likely to be thinking about.
>>
>> https://www.owasp.org/index.php/Cross_Site_Tracing
>>
>> I'm curious what others think, do you rate TRACE as low or medium?
>>
>> Robin
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>

--
"Only those who will risk going too far
can possibly find out how far one can go.
"T.S. Eliot
http://0x109.tuxfamily.org

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: rating TRACE Nov 14 2014 12:57PM
Simon Ward (simon westpoint ltd uk)
Re: rating TRACE Nov 14 2014 08:48AM
Robin Wood (robin digi ninja)
RES: rating TRACE Nov 12 2014 11:33PM
Fábio Soto (fabio andradesoto com br)


 

Privacy Statement
Copyright 2010, SecurityFocus