----- Original Message ----- From: "Thor Larholm" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, January 23, 2003 10:10 AM Subject: RE: TRACE used to increase the dangerous of XSS.
> I just finished reading this so-called whitepaper and the press release, and > all I can say is hyped, sensationalised snakeoil. > > The HttpOnly cookie feature, a proprietary Microsoft extension designed to > mitigate a single aspect of XSS, can be circumvented in myriads of ways. In > fact, reading the HTTP response in any other way than through the > document.cookie property immediately exposed through JS will return the > cookie to you. Calling from JS to a Java applet that in turn parses a HTTP > response, using a Flash movie (or most any other plugin) or even needlessly > complicating matters by parsing the BODY of a TRACE response received > through XMLHTTP - such as this 'whitepaper' suggests. > > By design, HttpOnly makes the cookie available only through the HTTP > headers - which, among many others, the XMLHTTP control can read. > > What we end up with from WhiteHat Security is a way to circumvent the > HttpOnly cookie feature in IE6SP1, nothing else. In itself, worthy of a note > in a roundup of browser problems or a comment in a reply to the posting > announcing the HttpOnly feature on Bugtraq - but hardly a whitepaper, > pressrelease and blurbs such as comparing this to Code Red and Nimda or > calling this a flaw in all web servers worldwide. This is simply not "a new > class of web-app-sec attack" or a flaw in TRACE, as hyped by WhiteHat > Security. > > System administrators should most definitely not waste their precious time > on implementing the silly workarounds suggested, such as disabling > TRACE/TRACK requests. The one, and only, impact the discovery from WhiteHat > Security has is that it re-enables cookie reading from JS despite if you had > already cared to specifically alter your webapplication to accomodate this. > > All the boojah and fuss about not requiring an actual XSS in the > webapplication or being able to impose XSS on arbitrary foreign domains, > factors that would indeed be a cause of concern, is utterly and completely > unrelated to the findings of WhiteHat Security. These are mere > demonstrations of already publicly known unpatched vulnerabilities in > Internet Explorer ( of which there are currently 19 - > http://www.pivx.com/larholm/unpatched/ ). > > WhiteHat Security paired a minor low-impact notice of their own with > existing proof-of-concept code from several critical high-impact > vulnerabilities discovered, and long disclosed, by thirdparty researchers, > dubbed it their own and wrote up a fancy press release filled with > inaccuracies announcing a indifferent 'whitepaper' scathered with obscure > irrelevancies. > > In short, snakeoil. > > Regards > Thor Larholm > PivX Solutions, LLC - Senior Security Researcher > > Latest PivX research: Multi-vendor Game Server DDoS Vulnerability > http://www.pivx.com/press_releases/mk_mk001.html > > > -----Original Message----- > From: Jeremiah Grossman [mailto:[EMAIL PROTECTED]] > Sent: 22. januar 2003 21:33 > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: TRACE used to increase the dangerous of XSS. > > > WhiteHat Security has released a new white paper discussing a new class > of web-app-sec attack (XST) which potentially affects all web servers > supporting TRACE. > > The white paper explains all the detailed technical results we have > found so far. We are fairly certain this particular issue will spark > much debate and encourage those interested to read and comment. > > > White Paper Mirrors: > http://www.betanews.com/whitehat/WH-WhitePaper_XST_ebook.pdf > http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf > http://www.boarder.org/WH-WhitePaper_XST_ebook.pdf > http://www.forumgalaxy.com/whmirror/WhitePaper_screen.pdf > > Press Release > http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
