Web Application Security
rating TRACE Nov 12 2014 04:19PM
Robin Wood (robin digi ninja) (3 replies)
Re: rating TRACE Nov 14 2014 01:41PM
Simon Ward (simon westpoint ltd uk)
On 2014-11-12 16:19, Robin Wood wrote:
> I've always given TRACE enabled a rating of low in my reports and I
> know other testers who don't even bother reporting it but a client has
> asked for a CVSS score for it and in Googling I found that Rapid 7
> rate it as a 6.0, that is high end of medium.
> http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabled
> Looking at the metrics they give it does appear to be a reasonable
> score and checking on the calculator I get a 5.8
> http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:M/Au

I think the the CVSS metrics are exaggerated:

The CVSS 2 guide[1] suggests that each vulnerability be scored
independently, and having the TRACE method enabled is not by itself an

Cross-site tracing requires a vulnerability in a browser or plugin and
cross-site scripting too. The base exploitability should be scored more
difficult than plain XSS (in the score above it's the same as most XSS

The impact should really be none, since there is none if you can't
manipulate the browser or plugin to create your dodgy request in the
first place. If we're treating it as a vulnerability and fudging the
CVSS scores for it then I might give it a partial integrity impact based
on scoring tip #2 in the CVSS reference (consider the direct impact to
the target host only).

The above score might be reasonable if you're actually reporting the
presence of a cross-site tracing vulnerability, but if you're reporting
that the TRACE method is allowed it's not.

[1] http://www.first.org/cvss/cvss-guide


PS. I work for a company that reports and scores TRACE methods enabled,
but this opinion is my own and doesn't quite reflect how it is actually

This list is sponsored by Cenzic
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!

[ reply ]
Re: rating TRACE Nov 13 2014 04:13PM
Seth Art (sethsec gmail com) (3 replies)
Re: rating TRACE Nov 14 2014 04:45PM
Manolis Mavrofidis (mmavrofides gmail com)
Re: rating TRACE Nov 14 2014 12:57PM
Simon Ward (simon westpoint ltd uk)
Re: rating TRACE Nov 14 2014 08:48AM
Robin Wood (robin digi ninja)
RES: rating TRACE Nov 12 2014 11:33PM
Fábio Soto (fabio andradesoto com br)


Privacy Statement
Copyright 2010, SecurityFocus