Ticket #33 (closed editorial: fixed)
TRACE security considerations
|Reported by:||email@example.com||Owned by:|
|Component:||p2-semantics||Severity:||Active WG Document|
There is an HTTP-related security violation approach found/researched by White Hat Security:
I bet many of you have seen the related advisories/PR. For those who have not, here is the gist:
Modern browsers usually do not allow scripts embedded in HTML to access cookies and authentication information exchanged between HTTP client and server. However, a script can get access to that info by sending a simple HTTP TRACE request to the originating (innocent) server. The user agent will auto-include current authentication info in such request. The server will echo all the authentication information back, for script to read and [mis]use. Apparently, sending an HTTP request is possible via many scripting methods like ActiveX. See the URL above for details.
With numerous XSS (cross-site-scripting) vulnerabilities in user agents, this seems like a real and nasty problem. TRACE method support is optional per RFC 2616, but many popular servers support it. White Hat Security advises server administrators to disable support for TRACE.
- Component set to semantics
- Milestone set to unassigned
- Priority set to normal
- Type changed from design to editorial
- Severity set to Active WG Document