W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2003

Re: XSS makes TRACE harmful?

From: Scott Lawrence <scott-http@skrb.org>
Date: 17 Feb 2003 11:43:01 -0500
To: ietf-http-wg@w3.org
Message-ID: <uel66rh7u.fsf@skrb.org>

Alex Rousskov:

> What is your opinion? Should TRACE be supported by default? Is it a
> good idea to mention this "exposure" vulnerability in HTTP errata or
> elsewhere?

Stefan Eissing <stefan.eissing@greenbytes.de> writes:

> Hmm. Maybe one could exclude sensitive header such as
> Authorization, Cookie and Proxy-Authorization from TRACE responses.

The entire value of TRACE lies in it being an exact copy; otherwise
it's pretty worthless as a debugging mechanism.

> On the other hand - as it is stated also in the report - there is no
> protection against XSS-enabled clients.

This exploit does not expose any user or application that is not
already sending authentication credentials in clear over the net.
Digest Authentication already solves this problem, and provides the
session tracking (via the server nonce) that applications want as
well, without exposing anything either on the net or to XSS clients.

Trying to repair this "new" problem by changing TRACE is like fixing
an abdominal bullet wound with a Band-Aid.

-- 
Scott Lawrence        
  Actively seeking work 

  http://world.std.com/~lawrence/    [<lawrence@world.std.com> is deprecated]
Received on Monday, 17 February 2003 11:43:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:22 GMT