Re: New Web Vulnerability - Cross-Site Tracing (fwd)

[Marc Slemko <marcs () znep com>]

For anyone interested, you won't likely see my response on bugtraq
since my message was rejected for using profanity ("half-assed")
and I do not wish to modify it and resubmit.

---------- Forwarded message ----------
Date: Wed, 22 Jan 2003 12:11:25 -0800 (PST)
From: Marc Slemko <marcs () znep com>
To: bugtraq () securityfocus com
Subject: Re: New Web Vulnerability - Cross-Site Tracing

On Wed, 22 Jan 2003, Pete Soderling wrote:

> I thought this news might interest the group ...
>
> ExtremeTech (http://extremetech.com) just released an article on a new type of vulnerability recently reported to 
> CERT, Cross-Site Tracing (XST).
>
> "After months of extensive research, San Jose California-based WhiteHat Security has unmasked a flaw in one of the 
> Web's cornerstone protocols which places all e-commerce sites, as well as scores of Internet users, in jeopardy.
>
> This threat was discovered by application security research firm WhiteHat, and is detailed in David's story below. 
> White Hat Security was started by a former CTO from Ungermann-Bass, and an Information Security officer at Yahoo!."
>
> Read the entire post at: http://www.extremetech.com/article2/0,3973,841047,00.asp

Wow, what a misinformed article.  The whitepaper available on
WhiteHat's site is better (http://www.whitehatsec.com/news.html)
but it still requires very careful reading to appreciate what parts
of it are talking about things that are due to other known holes
and which are actually news.

Essentially what it boils down to is that Microsoft's "httponly" cookie
hack is half-assed, and doesn't really work very well in reality, and
that because MS has a horribly record of cross domain security
holes that they refuse to patch in a timely manner then somehow
this hole is a new all pervasive attack.

Trying to pass all this off as some flaw in TRACE is... obscene.
Combining existing holes that already have a huge exposure, then
adding in a few little new pieces appears to be a strategy designed
to hype the importance of the issue.

The only new thing here is that this provides a way to get HTTP
basic authentication credentials and, while this is indeed a notable
discovery, it is unfortuante that is presented in the overhyped
way it is.  It has been possible to obtain basic auth credentials
in the past both from browsers that improperly allowed newline
characters to be embedded in fields in the request (allowing the
authorization to end up in the request body) and browsers that
could be tricked into thinking they are sending a request to site
x while really sending to site y, but AFAIK those holes are all
fixed in any recent versions of common browsers.

The reality is that there are many cases where the server returns
information to the user that is confidential.  TRACE is one of
those.  Embedding session IDs in returned links is one (very commonly
done on app servers that support cookie based session tracking with
a fallback to url based).  Returning a user's bank account number
when they view their account is another.  I don't see trying to
disable every way that the server can send sensitive data to the
browser as being a very effective path to try to take to solve such
issues.

The bottom line:  Why do you even need to steal the user's
authentication token if you have full access to get their browser
to submit requests and the ability to grab the contents of the
results?  And having access to those two things is exactly what
this whitepaper is assuming.  Yes, there is a small incremental
exposure to being able to take the authentication token away with
you and use it yourself but that is marginal compared to the exposure
from the holes being assumed to be there before the new TRACE issue
can be exploited.