lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <002201c2c2bf$7e3ffce0$858370d4@wks.jubii.dk>
From: lists.netsys.com at jscript.dk (Thor Larholm)
Subject: Fw: TRACE used to increase the dangerous of XSS.

----- Original Message -----
From: "Thor Larholm" <thor@...x.com>
To: <jeremiah@...tehatsec.com>; <bugtraq@...urityfocus.com>;
<webappsec@...urityfocus.com>; <vulnwatch@...nwatch.org>
Sent: Thursday, January 23, 2003 10:10 AM
Subject: RE: TRACE used to increase the dangerous of XSS.


> I just finished reading this so-called whitepaper and the press release,
and
> all I can say is hyped, sensationalised snakeoil.
>
> The HttpOnly cookie feature, a proprietary Microsoft extension designed to
> mitigate a single aspect of XSS, can be circumvented in myriads of ways.
In
> fact, reading the HTTP response in any other way than through the
> document.cookie property immediately exposed through JS will return the
> cookie to you. Calling from JS to a Java applet that in turn parses a HTTP
> response, using a Flash movie (or most any other plugin) or even
needlessly
> complicating matters by parsing the BODY of a TRACE response received
> through XMLHTTP - such as this 'whitepaper' suggests.
>
> By design, HttpOnly makes the cookie available only through the HTTP
> headers - which, among many others, the XMLHTTP control can read.
>
> What we end up with from WhiteHat Security is a way to circumvent the
> HttpOnly cookie feature in IE6SP1, nothing else. In itself, worthy of a
note
> in a roundup of browser problems or a comment in a reply to the posting
> announcing the HttpOnly feature on Bugtraq - but hardly a whitepaper,
> pressrelease and blurbs such as comparing this to Code Red and Nimda or
> calling this a flaw in all web servers worldwide. This is simply not "a
new
> class of web-app-sec attack" or a flaw in TRACE, as hyped by WhiteHat
> Security.
>
> System administrators should most definitely not waste their precious time
> on implementing the silly workarounds suggested, such as disabling
> TRACE/TRACK requests. The one, and only, impact the discovery from
WhiteHat
> Security has is that it re-enables cookie reading from JS despite if you
had
> already cared to specifically alter your webapplication to accomodate
this.
>
> All the boojah and fuss about not requiring an actual XSS in the
> webapplication or being able to impose XSS on arbitrary foreign domains,
> factors that would indeed be a cause of concern, is utterly and completely
> unrelated to the findings of WhiteHat Security. These are mere
> demonstrations of already publicly known unpatched vulnerabilities in
> Internet Explorer ( of which there are currently 19 -
> http://www.pivx.com/larholm/unpatched/  ).
>
> WhiteHat Security paired a minor low-impact notice of their own with
> existing proof-of-concept code from several critical high-impact
> vulnerabilities discovered, and long disclosed, by thirdparty researchers,
> dubbed it their own and wrote up a fancy press release filled with
> inaccuracies announcing a indifferent 'whitepaper' scathered with obscure
> irrelevancies.
>
> In short, snakeoil.
>
> Regards
> Thor Larholm
> PivX Solutions, LLC - Senior Security Researcher
>
> Latest PivX research: Multi-vendor Game Server DDoS Vulnerability
> http://www.pivx.com/press_releases/mk_mk001.html
>
>
> -----Original Message-----
> From: Jeremiah Grossman [mailto:jeremiah@...tehatsec.com]
> Sent: 22. januar 2003 21:33
> To: bugtraq@...urityfocus.com; webappsec@...urityfocus.com;
> vulnwatch@...nwatch.org
> Subject: TRACE used to increase the dangerous of XSS.
>
>
> WhiteHat Security has released a new white paper discussing a new class
> of web-app-sec attack (XST) which potentially affects all web servers
> supporting TRACE.
>
> The white paper explains all the detailed technical results we have
> found so far. We are fairly certain this particular issue will spark
> much debate and encourage those interested to read and comment.
>
>
> White Paper Mirrors:
> http://www.betanews.com/whitehat/WH-WhitePaper_XST_ebook.pdf
> http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf
> http://www.boarder.org/WH-WhitePaper_XST_ebook.pdf
> http://www.forumgalaxy.com/whmirror/WhitePaper_screen.pdf
>
> Press Release
> http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt
>
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ