WebApp Sec mailing list archives

RE: TRACE used to increase the dangerous of XSS.

From: "Thor Larholm" <thor () pivx com>
Date: Thu, 23 Jan 2003 10:33:00 +0100

This is not a bug in IE or XMLHTTP, and the cookie is not returned as part
of the HTTP response headers. It is returned as part of the HTTP response
body, which is exactly how TRACE works. Manipulating the HTTP response body
returned is the last thing XMLHTTP would, or should, do.

IE is not the only browser that has XMLHTTP, Mozilla implemented a
fullyworking copy with the exact same behavior. Neither remove any
Set-Cookie HTTP headers from the response exposed to scripting.


Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher

Latest PivX research: Multi-vendor Game Server DDoS Vulnerability
http://www.pivx.com/press_releases/mk_mk001.html


-----Original Message-----
From: Richard M. Smith [mailto:rms () computerbytesman com]
Sent: 22. januar 2003 23:35
To: bugtraq () securityfocus com; webappsec () securityfocus com;
vulnwatch () vulnwatch org
Subject: RE: TRACE used to increase the dangerous of XSS.


Isn't this a bug in Internet Explorer?  Shouldn't the Microsoft XMLHTTP
ActiveX control be removing cookies from returned HTTP headers when a
HTTP TRACE is done?  I know that this already happens when a GET or a
POST is done with XMLHTTP.

Richard M. Smith
http://www.ComputerBytesMan.com

Current thread:

Re: TRACE used to increase the dangerous of XSS. Jordan Frank (Jan 22)
- <Possible follow-ups>
- Re: TRACE used to increase the dangerous of XSS. Jeremiah Grossman (Jan 22)
- RE: TRACE used to increase the dangerous of XSS. Thor Larholm (Jan 23)
- RE: TRACE used to increase the dangerous of XSS. Thor Larholm (Jan 23)