-
January 23rd, 2003, 08:11 PM
#1
New Cross-Site Scripting Risks (TRACE Method)
http://isc.incidents.org/analysis.html?id=179
It is basically a twist on cross site scripting...
> nc localhost 80
TRACE / HTTP/1.0
X-Header: test
(don't forget the empty line at the end)
The response will be:
HTTP/1.1 200 OK
.... (various server headers) ...
Content-Type: message/http
TRACE / HTTP/1.0
X-Header: test
The important part is that the entire request (including the dummy X-Header)
is echoed back.
There is also a snort signature in the article to detect this method being used and it applies to both apache and IIS...
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
January 24th, 2003, 06:11 AM
#2
i just ran a scan on port 80 and ran the trace against them. about 40% returned the fake header.
does that mean that 40 percent are vulnerable to xss exploits? thats ungoddly if thats the case
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
January 24th, 2003, 02:56 PM
#3
At the time being maybe. They were still working on the issue and I am pretty sure the article mentioned that there may be an upcoming patch available from apache and microsoft to turn off the 'trace' feature.
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
January 24th, 2003, 03:35 PM
#4
Ahhh yes, this works wonderfully on my IIS 5.0 boxes. Now, has anyone actually tried to grab cookie data using this method or any other potential exploit that this listed on the link above?
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|