Re: RES: rating TRACE

[Martino Dell'Ambrogio <tillo () tillo ch>]

This happens with any vulnerability and it's the reason we use our own
rating system, expose all of the variables to the customer and
eventually discuss scale changes or exceptions according to their
security model.

Most rating systems are flawed because they try to cover all situations,
but situations change.
This is a recurring problem regarding certifications, because they all
rely on some fixed standard.

Some scales can change within CVSSv2 thanks to the extended version, but
it's not enough.
Last time I checked further scale changes were not [publicly] discussed
for CVSSv3.

By the way, there are other critical flaws involving most risk rating
systems.
Think about serialized, partial vulnerabilities: most vulnerabilities
(or event flaws that are not considered vulnerabilities because there is
no direct impact) can be combined to form a much more critical
vulnerability.
As far as I know, there is no current system able to address this need.

Martino Dell'Ambrogio
Security Auditor
Web: http://www.tillo.ch/
Email: tillo () tillo ch

On 11/13/2014 12:59 PM, Robin Wood wrote:
> The general consensus seems to be low, apparently a QualysGuard
> scanner (which is ASV approved I've been told) rates it as
> informational and some, like Vivir rate it as medium.
>
> Such a simple issue and such a wide discrepancy of reporting levels
> all with their own justifications. Makes me feel sorry for end users
> who can have two companies test their systems and get two completely
> different outlooks on their risk level each with the tester being able
> to justify their findings. This may be OK for a company who has staff
> who can decode the findings and rework the levels to their own
> business but to a company who simply outsources the test and then acts
> on the results they are reliant on what they are told.
>
> Moving from TRACE to more complex or harder to understand bugs just
> makes this worse and more subjective. I wish I could suggest a way to
> fix it so everyone was rating based on the same levels. I know some
> people aren't optimistic about CVSSv3 being able to help fix it, I've
> not looked at it yet but lets hope it moves us a step closer. Anyone
> else have any ideas?
>
> Robin
>
> On 13 November 2014 02:04, vivir dolson <kcah4evil () gmail com> wrote:
> > I have always rated TRACE as medium security issue, as this might be a
> > vector for other security attacks. Besides that as a wisest security
> > principles says what is unused should be disabled. Hence if you are not
> > going to use TRACE method then in my opinion it should be switched off. It
> > will prevent your app not only against XST, but also against undiscovered
> > vulnerabilities related to this channel, which can be found in the future.
> >
> > Dayanand
> >
> > On 13-Nov-2014 7:09 AM, "Fábio Soto" <fabio () andradesoto com br> wrote:
> > > I'm rating it as low, and double check it, because it's commonly a
> > > false-positive.
> > >
> > >
> > > -----Mensagem original-----
> > > De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Em
> > > nome de Robin Wood
> > > Enviada em: quarta-feira, 12 de novembro de 2014 14:19
> > > Para: webappsec () securityfocus com
> > > Assunto: rating TRACE
> > >
> > > I've always given TRACE enabled a rating of low in my reports and I know
> > > other testers who don't even bother reporting it but a client has asked for
> > > a CVSS score for it and in Googling I found that Rapid 7 rate it as a 6.0,
> > > that is high end of medium.
> > >
> > > http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabled
> > >
> > > Looking at the metrics they give it does appear to be a reasonable score
> > > and checking on the calculator I get a 5.8
> > >
> > >
> > > http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:M/Au:N/C:P/I:P/A:N%29
> > >
> > > I know newer browsers can't make TRACE requests through JavaScript but
> > > there is a commeon the OWASP site about potentially using Java to make the
> > > call. In my opinion if you've got Java running on a client machine then
> > > TRACE isn't what you are likely to be thinking about.
> > >
> > > https://www.owasp.org/index.php/Cross_Site_Tracing
> > >
> > > I'm curious what others think, do you rate TRACE as low or medium?
> > >
> > > Robin
> > >
> > >
> > >
> > > This list is sponsored by Cenzic
> > > --------------------------------------
> > > Let Us Hack You. Before Hackers Do!
> > > It's Finally Here - The Cenzic Website HealthCheck. FREE.
> > > Request Yours Now!
> > > http://www.cenzic.com/2009HClaunch_Securityfocus
> > > --------------------------------------
> > >
> > >
> > >
> > >
> > > This list is sponsored by Cenzic
> > > --------------------------------------
> > > Let Us Hack You. Before Hackers Do!
> > > It's Finally Here - The Cenzic Website HealthCheck. FREE.
> > > Request Yours Now!
> > > http://www.cenzic.com/2009HClaunch_Securityfocus
> > > --------------------------------------
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now! 
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature