Re: rating TRACE

[Robin Wood <robin@digi.ninja>]

On 12 November 2014 22:20, Ryan Dewhurst <ryandewhurst () gmail com> wrote:
> The Java applet thing is because it can send a cross-domain TRACE request.
> You would need the victim to visit a site you control first, which would
> then send the cross-domain TRACE to the target site, revealing your HTTPOnly
> cookies from the target site.

I get that but they would have to allow the applet to run which can
open them up to a lot more serious attack than stealing cookies

> I think you can lower the CVSS score if you do not agree with it but you
> need to add a note saying that you have lowered it and your reasons why. I'm
> not too sure about this though, but something I've heard.

Don't know, I'm not a QSA and don't pretend to be one.

Robin

> On Wed, Nov 12, 2014 at 11:16 PM, Robin Wood <robin@digi.ninja> wrote:
> > On 12 November 2014 22:09, Ryan Dewhurst <ryandewhurst () gmail com> wrote:
> > > I added this link to that OWASP page a while back which explains the
> > > Java
> > > applet method -
> > > http://seckb.yehg.net/2012/06/xss-gaining-access-to-httponly-cookie.html
> > >
> > > Not sure if it still works though, haven't read that post in a while.
> >
> > I'll have a look but if you can run Java applets there are a lot worse
> > attacks you can do beyond grabbing cookies.
> >
> > > I'd need to double check but I think I give it a low.
> >
> > General concensus on Twitter is low as well but I realised that if you
> > go with the basic CVSS and get a 6.0 then that is a PCI fail, a QSA
> > friend of ours told me that if that happens it can't be ignored and
> > they would be failed till it was fixed.
> >
> > Imagine not being able to take payments because you've got TRACE
> > enabled and a tester just blindly trusted the CVSS basic calculator!
> >
> > Robin
> >
> > > On Wed, Nov 12, 2014 at 5:19 PM, Robin Wood <robin@digi.ninja> wrote:
> > > > I've always given TRACE enabled a rating of low in my reports and I
> > > > know other testers who don't even bother reporting it but a client has
> > > > asked for a CVSS score for it and in Googling I found that Rapid 7
> > > > rate it as a 6.0, that is high end of medium.
> > > >
> > > > http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabled
> > > >
> > > > Looking at the metrics they give it does appear to be a reasonable
> > > > score and checking on the calculator I get a 5.8
> > > >
> > > >
> > > >
> > > > http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:M/Au:N/C:P/I:P/A:N%29
> > > >
> > > > I know newer browsers can't make TRACE requests through JavaScript but
> > > > there is a commeon the OWASP site about potentially using Java to make
> > > > the call. In my opinion if you've got Java running on a client machine
> > > > then TRACE isn't what you are likely to be thinking about.
> > > >
> > > > https://www.owasp.org/index.php/Cross_Site_Tracing
> > > >
> > > > I'm curious what others think, do you rate TRACE as low or medium?
> > > >
> > > > Robin
> > > >
> > > >
> > > >
> > > > This list is sponsored by Cenzic
> > > > --------------------------------------
> > > > Let Us Hack You. Before Hackers Do!
> > > > It's Finally Here - The Cenzic Website HealthCheck. FREE.
> > > > Request Yours Now!
> > > > http://www.cenzic.com/2009HClaunch_Securityfocus
> > > > --------------------------------------



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------