WebApp Sec mailing list archives
Re: New Web Vulnerability - Cross-Site Tracing (fwd)
From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: 22 Jan 2003 16:09:41 -0800
On Wed, 2003-01-22 at 15:25, Marc Slemko wrote:
The only new thing here is that this provides a way to get HTTP basic authentication credentials and, while this is indeed a notable discovery, it is unfortuante that is presented in the overhyped way it is. It has been possible to obtain basic auth credentials in the past both from browsers that improperly allowed newline characters to be embedded in fields in the request (allowing the authorization to end up in the request body) and browsers that could be tricked into thinking they are sending a request to site x while really sending to site y, but AFAIK those holes are all fixed in any recent versions of common browsers.
Ok... the example you specify definitely achieves the same end this new attack does. But it does so without using any of the bugs you assume in your examples. Comparing apples to oranges really. Also, I dont recall ever seeing a browser bug where you could compromise the HTTP Basic Auth creds without have access to a target server. Maybe if we stretch it to URL trickery ok. But this was not done using purely JavaScript as the paper clearly states.
The reality is that there are many cases where the server returns information to the user that is confidential. TRACE is one of those.
Any other request methods that do that I am not aware of?
Embedding session IDs in returned links is one (very commonly done on app servers that support cookie based session tracking with a fallback to url based). Returning a user's bank account number when they view their account is another. I don't see trying to disable every way that the server can send sensitive data to the browser as being a very effective path to try to take to solve such issues.
I definitely see your point and its valid. There are indeed many ways to get the web application to echo credentials which are not stored security. Such as URL, etc. What we are attempting to relate is that for your type of attack to work, you NEED a web application that is in some way flawed. What we propose is that you no long NEED a web application to be flawed, simply a supporting TRACE web server and the creds are yours.
The bottom line: Why do you even need to steal the user's authentication token if you have full access to get their browser to submit requests and the ability to grab the contents of the results?
because thats all you need... nothing more. and supported in all browsers. NOT relying on a bug in this manner. Only need a bug to increase the exposure.
And having access to those two things is exactly what this whitepaper is assuming. Yes, there is a small incremental exposure to being able to take the authentication token away with you and use it yourself but that is marginal compared to the exposure from the holes being assumed to be there before the new TRACE issue can be exploited.
ok, maybe the white paper wasnt clear enough. The essential pieces that are require for full exploitation as I define is... script on a page, domain-restriction-bypass flaw (not essential), and a trace supporting target. We are not assuming or requiring the browser to be flawed any more than that. Again, I see your point... if you can grab a file off their machine... what would be the point of all this. To state once more... this is not required. I also apologize if you took the media coverage to be a bit much. We dont control the media however, surely Marc from experience you know that.
Current thread:
- Re: New Web Vulnerability - Cross-Site Tracing (fwd) Marc Slemko (Jan 22)
- Re: New Web Vulnerability - Cross-Site Tracing (fwd) Jeremiah Grossman (Jan 22)
- Re: New Web Vulnerability - Cross-Site Tracing (fwd) Gary Flynn (Jan 23)
- Re: New Web Vulnerability - Cross-Site Tracing (fwd) Jeremiah Grossman (Jan 22)