- From: Alex Rousskov <rousskov@measurement-factory.com>
- Date: Fri, 14 Feb 2003 17:39:26 -0700 (MST)
- To: ietf-http-wg@w3.org
There is an HTTP-related security violation approach found/researched
by White Hat Security:
PR: http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt
Details: http://www.betanews.com/whitehat/WH-WhitePaper_XST_ebook.pdf
I bet many of you have seen the related advisories/PR. For those who
have not, here is the gist:
Modern browsers usually do not allow scripts embedded in
HTML to access cookies and authentication information
exchanged between HTTP client and server. However, a
script can get access to that info by sending a
simple HTTP TRACE request to the originating (innocent)
server. The user agent will auto-include current
authentication info in such request. The server will echo all
the authentication information back, for script to read and
[mis]use. Apparently, sending an HTTP request is possible via
many scripting methods like ActiveX. See the URL above for
details.
With numerous XSS (cross-site-scripting) vulnerabilities in user
agents, this seems like a real and nasty problem. TRACE method support
is optional per RFC 2616, but many popular servers support it. White
Hat Security advises server administrators to disable support for
TRACE.
What is your opinion? Should TRACE be supported by default? Is it a
good idea to mention this "exposure" vulnerability in HTTP errata or
elsewhere?
Thanks,
Alex.
--
| HTTP performance - Web Polygraph benchmark
www.measurement-factory.com | HTTP compliance+ - Co-Advisor test suite
| all of the above - PolyBox appliance
Received on Friday, 14 February 2003 19:39:28 UTC