Web Application Security
Re: RES: rating TRACE Nov 14 2014 11:48AM
Robin Wood (robin digi ninja)
On 14 November 2014 11:38, Mike Antcliffe
<mikeantcliffe (at) logicallysecure (dot) com [email concealed]> wrote:
> I completely agree. And one of the biggest problems is that disparity
> between ratings on tests performed by different companies can cause trust
> issues.
>
> Until the entire industry is singing from the same hymn sheet, it's always
> going to be an issue. In the meantime all we can do is provide the best
> description of the issue possible, and be ready to explain it in simpler
> terms if needed.

I think something to watch out for if you do have to explain why your
results are rated differently to a previous report is not to insult or
talk down on the previous tester. Give your reasons for your score and
be prepared to back them up.

> I've only had trace crop up as a finding once, and given that PUT and DELETE
> were also supported it wasn't too hard to write up :-)

I get it occasionally but not that often, most frequently it is listed
in OPTIONS but not enabled.

Robin

>
> Mike Antcliffe
>
>
> Logically Secure
>
>
> -------- Original message --------
> From: Robin Wood
> Date:13/11/2014 12:04 (GMT+00:00)
> To: vivir dolson
> Cc: webappsec (at) securityfocus (dot) com [email concealed],fabio (at) andradesoto.com (dot) br [email concealed]
> Subject: Re: RES: rating TRACE
>
> The general consensus seems to be low, apparently a QualysGuard
> scanner (which is ASV approved I've been told) rates it as
> informational and some, like Vivir rate it as medium.
>
> Such a simple issue and such a wide discrepancy of reporting levels
> all with their own justifications. Makes me feel sorry for end users
> who can have two companies test their systems and get two completely
> different outlooks on their risk level each with the tester being able
> to justify their findings. This may be OK for a company who has staff
> who can decode the findings and rework the levels to their own
> business but to a company who simply outsources the test and then acts
> on the results they are reliant on what they are told.
>
> Moving from TRACE to more complex or harder to understand bugs just
> makes this worse and more subjective. I wish I could suggest a way to
> fix it so everyone was rating based on the same levels. I know some
> people aren't optimistic about CVSSv3 being able to help fix it, I've
> not looked at it yet but lets hope it moves us a step closer. Anyone
> else have any ideas?
>
> Robin
>
> On 13 November 2014 02:04, vivir dolson <kcah4evil (at) gmail (dot) com [email concealed]> wrote:
>> I have always rated TRACE as medium security issue, as this might be a
>> vector for other security attacks. Besides that as a wisest security
>> principles says what is unused should be disabled. Hence if you are not
>> going to use TRACE method then in my opinion it should be switched off. It
>> will prevent your app not only against XST, but also against undiscovered
>> vulnerabilities related to this channel, which can be found in the future.
>>
>> Dayanand
>>
>> On 13-Nov-2014 7:09 AM, "Fábio Soto" <fabio (at) andradesoto.com (dot) br [email concealed]> wrote:
>>>
>>> I'm rating it as low, and double check it, because it's commonly a
>>> false-positive.
>>>
>>>
>>> -----Mensagem original-----
>>> De: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] Em
>>> nome de Robin Wood
>>> Enviada em: quarta-feira, 12 de novembro de 2014 14:19
>>> Para: webappsec (at) securityfocus (dot) com [email concealed]
>>> Assunto: rating TRACE
>>>
>>> I've always given TRACE enabled a rating of low in my reports and I know
>>> other testers who don't even bother reporting it but a client has asked
>>> for
>>> a CVSS score for it and in Googling I found that Rapid 7 rate it as a
>>> 6.0,
>>> that is high end of medium.
>>>
>>> http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabled
>>>
>>> Looking at the metrics they give it does appear to be a reasonable score
>>> and checking on the calculator I get a 5.8
>>>
>>>
>>>
>>> http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:M/Au
:N/C:P/I:P/A:N%29
>>>
>>> I know newer browsers can't make TRACE requests through JavaScript but
>>> there is a commeon the OWASP site about potentially using Java to make
>>> the
>>> call. In my opinion if you've got Java running on a client machine then
>>> TRACE isn't what you are likely to be thinking about.
>>>
>>> https://www.owasp.org/index.php/Cross_Site_Tracing
>>>
>>> I'm curious what others think, do you rate TRACE as low or medium?
>>>
>>> Robin
>>>
>>>
>>>
>>> This list is sponsored by Cenzic
>>> --------------------------------------
>>> Let Us Hack You. Before Hackers Do!
>>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>>> Request Yours Now!
>>> http://www.cenzic.com/2009HClaunch_Securityfocus
>>> --------------------------------------
>>>
>>>
>>>
>>>
>>> This list is sponsored by Cenzic
>>> --------------------------------------
>>> Let Us Hack You. Before Hackers Do!
>>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>>> Request Yours Now!
>>> http://www.cenzic.com/2009HClaunch_Securityfocus
>>> --------------------------------------
>>>
>>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus