Primate Brow Flash

I was running an application security scan today against a Drupal installation and the tool highlighted that my server accepted Track and Trace HTTP methods. I had no idea what this meant, so I did some reading and here is what I found:

Ways to obtain session cookies using the HTTP Trace method were revealed in late 2002, so this is entirely review. If you are looking for breaking security news, look elsewhere. I am approx 4 years behind the cutting edge. I believe that this is a fine place to be, because hundreds of thousands of computers are about 4 years behind in security. I guess that most ways to use TRACE have been patched. Or have they?

What is TRACE? from W3C:

TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information.

In an XSS attack using TRACE you trick the browser of an authenticated user to make a TRACE request. The server mirrors back what the browser sends, including a session ID or any other cookies that might be set. If an outsider can capture the results of the TRACE, they might be able to grab the session ID.

How to try it out?

• javascript has ways to send trace messages. There are some examples in this document.
• cURL command line in windows: curl -X TRACE http://www.phpsolvent.com
• Paros Proxy. Manually change method to TRACE

One interesting use of TRACE is to identify proxies used by web applications. The proxy should pass the TRACE request directly on to the actual application, which will mirror back the fact that it was contacted by a proxy and not from the user’s browser. High traffic sites might use proxies (like squid proxy) to increase performance by serving cached pages and error pages.

This entry was posted on Wednesday, October 18th, 2006 at 3:51 pm and is filed under General, security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.