Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NSE Script http-methods.nse

From: Daniel Roethlisberger <daniel () roe ch>
Date: Sun, 21 Feb 2010 00:49:23 +0100
David Fifield <david () bamsoftware com> 2010-02-18:

The uninteresting set {GET, HEAD, POST, OPTIONS, TRACE} just comes from
a quick observation of a handful of web servers. I welcome suggestions
of methods to be removed from or added to the set.


I'd vote for removing TRACE from the uninteresting set.  TRACE
can be security relevant in the context of Cross-Site Tracing
attacks (web app vulnerable to XSS, session cookie has HttpOnly
flag set or NTLM or basic auth is used, XSS payload does a TRACE
request back to the web server, server reflects request headers
in response body, XSS payload can now read session cookie or auth
headers).

http://www.owasp.org/index.php/Cross_Site_Tracing

-- 
Daniel Roethlisberger
http://daniel.roe.ch/
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: