W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2003

XSS makes TRACE harmful?

From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Fri, 14 Feb 2003 17:39:26 -0700 (MST)
To: ietf-http-wg@w3.org
Message-ID: <Pine.BSF.4.53.0302141609440.56878@measurement-factory.com>

There is an HTTP-related security violation approach found/researched
by White Hat Security:

  PR: http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt
  Details: http://www.betanews.com/whitehat/WH-WhitePaper_XST_ebook.pdf

I bet many of you have seen the related advisories/PR. For those who
have not, here is the gist:

	Modern browsers usually do not allow scripts embedded in
	HTML to access cookies and authentication information
	exchanged between HTTP client and server. However, a
	script can get access to that info by sending a
	simple HTTP TRACE request to the originating (innocent)
	server. The user agent will auto-include current
	authentication info in such request. The server will echo all
	the authentication information back, for script to read and
	[mis]use. Apparently, sending an HTTP request is possible via
	many scripting methods like ActiveX. See the URL above for

With numerous XSS (cross-site-scripting) vulnerabilities in user
agents, this seems like a real and nasty problem. TRACE method support
is optional per RFC 2616, but many popular servers support it. White
Hat Security advises server administrators to disable support for

What is your opinion? Should TRACE be supported by default? Is it a
good idea to mention this "exposure" vulnerability in HTTP errata or



                            | HTTP performance - Web Polygraph benchmark
www.measurement-factory.com | HTTP compliance+ - Co-Advisor test suite
                            | all of the above - PolyBox appliance
Received on Friday, 14 February 2003 19:39:28 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:36 UTC