WebApp Sec mailing list archives
Re: rating TRACE
From: Simon Ward <simon () westpoint ltd uk>
Date: Fri, 14 Nov 2014 13:41:32 +0000
On 2014-11-12 16:19, Robin Wood wrote:
I've always given TRACE enabled a rating of low in my reports and I know other testers who don't even bother reporting it but a client has asked for a CVSS score for it and in Googling I found that Rapid 7 rate it as a 6.0, that is high end of medium. http://www.rapid7.co.uk/db/vulnerabilities/http-trace-method-enabled Looking at the metrics they give it does appear to be a reasonable score and checking on the calculator I get a 5.8 http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=%28AV:N/AC:M/Au:N/C:P/I:P/A:N%29
I think the the CVSS metrics are exaggerated:The CVSS 2 guide[1] suggests that each vulnerability be scored independently, and having the TRACE method enabled is not by itself an issue:
Cross-site tracing requires a vulnerability in a browser or plugin and cross-site scripting too. The base exploitability should be scored more difficult than plain XSS (in the score above it's the same as most XSS scores).
The impact should really be none, since there is none if you can't manipulate the browser or plugin to create your dodgy request in the first place. If we're treating it as a vulnerability and fudging the CVSS scores for it then I might give it a partial integrity impact based on scoring tip #2 in the CVSS reference (consider the direct impact to the target host only).
The above score might be reasonable if you're actually reporting the presence of a cross-site tracing vulnerability, but if you're reporting that the TRACE method is allowed it's not.
[1] http://www.first.org/cvss/cvss-guide SimonPS. I work for a company that reports and scores TRACE methods enabled, but this opinion is my own and doesn't quite reflect how it is actually scored.
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE.Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Current thread:
- Re: rating TRACE, (continued)
- Message not available
- Re: rating TRACE Robin Wood (Nov 12)
- Message not available
- RES: rating TRACE Fábio Soto (Nov 12)
- Message not available
- Re: RES: rating TRACE Robin Wood (Nov 13)
- Re: RES: rating TRACE Martino Dell'Ambrogio (Nov 13)
- Re: RES: rating TRACE Simon Ward (Nov 14)
- Message not available
- Re: RES: rating TRACE Robin Wood (Nov 14)
- Message not available
- Re: rating TRACE Manolis Mavrofidis (Nov 14)
- Re: rating TRACE Simon Ward (Nov 14)
- Re: rating TRACE Robin Wood (Nov 14)
- Re: rating TRACE Simon Ward (Nov 14)