Penetration Testing mailing list archives
Re: http TRACE option
From: Tim <tim-pentest () sentinelchicken org>
Date: Fri, 18 Jan 2008 13:40:53 -0500
what is the issue if TRACE option is enabled in web servers ? Nessus results always display it as warning. any idea...
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf It was an over-hyped little attack, but it is not insignificant. It the website also has a cross-site scripting vulnerability, XST can be used to steal HTTP headers that wouldn't otherwise be available to JavaScript et. al. For instance, basic auth headers and HttpOnly cookies. Without an XSS hole to go along with it, it really isn't important AFAIK. tim ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- http TRACE option pentestr (Jan 18)
- Re: http TRACE option jeffrey rivero (Jan 22)
- Re: http TRACE option Tim (Jan 22)
- Re: http TRACE option Florencio Cano (Jan 22)
- Re: http TRACE option Campbell Murray (Jan 22)
- Re: http TRACE option Chris McNab (Jan 22)
- RE: http TRACE option Maxime Ducharme (Jan 22)
- Re: http TRACE option Gleb Paharenko (Jan 22)
- Re: http TRACE option Alexander Bondarenko (Jan 22)
- Re: http TRACE option José M. Palazón Romero (Jan 22)
- Re: http TRACE option rajat swarup (Jan 22)
- RE: http TRACE option benoni.martin (Jan 22)
- Re: http TRACE option Bipin Upadhyay (Jan 22)
(Thread continues...)