From: Peter Watkins [peterw@usa.net]
Sent: Thursday, January 23, 2003 3:28 PM
To: Thor Larholm
Subject: Re: TRACE used to increase the dangerous of XSS.

On Thu, Jan 23, 2003 at 10:10:49AM +0100, Thor Larholm wrote:

> I just finished reading this so-called whitepaper and the press release, and
> all I can say is hyped, sensationalised snakeoil.

> What we end up with from WhiteHat Security is a way to circumvent the
> HttpOnly cookie feature in IE6SP1, nothing else.

Really? WhiteHat also claims to have had some similar success with Mozilla, 
so it might not be simply an IE issue. (Exploit code for Mozilla would be 
nice.)

1) The whitepaper does raise the obvious question --for all admins-- of what
HTTP protocol methods should be enabled on their sites. TRACE is explicitly
designed for debugging (RFC 2616 section 9.8), and probably isn't needed by
any production Web site. Most servers are not expected to service anything
other than GET, POST, and HEAD requests. It seems only prudent to configure
http server software to only provide the methods that are required. 

2) It's much easier for a concerned site admin to disable TRACE on servers
that may see sensitive request headers than for the clients to be fixed
everywhere. It's fine to lay blame on the client software programmers, but 
better still to protect users when feasible.

3) Regarding the domain restriction security policies, I wish someone would 
clarify the rules clients follow, especially vis-a-vis http vs https 
requests. A man-in-the-middle or DNS attacker could obviously forge or 
tamper with an http page to include the code needed to make a TRACE request 
of an https server... would that work? Quick tests on IE5 suggest that at 
least the Microsoft.XMLHTTP object will *not* allow making a request to an 
https URL from code in an http-delivered page, which is very good news; at 
least in regard to that object in IE, the problem seems limited to exposing 
HttpOnly cookies and HTTP Authoriztion data, and relies on using XSS bugs in 
the target server.[2]

Bad news, though, in that my Microsoft.XMLHTTP seems happy to make an HTTP
request to the same protocol type & host name, but different port. E.G., use
http://target.example.com:8000/'s XSS bug (or malicious code) to launch an
XST attack on http://target.example.com/. Not good. (Reminds me of an old IE
bug, http://cert.uni-stuttgart.de/archive/bugtraq/1999/08/msg00380.html)

I can't quite get the exploits to work, though, as Microsoft.XMLHTTP seems 
to be trying TRACE requests using HTTP/1.0 -- presumably newer versions are 
smart enough to know TRACE is not a valid method in HTTP version 1.0? -- so 
my target iPlanet httpd sends a 405 method not allowed error. (A quick test 
of an Apache server shows that it allows TRACE in a HTTP/1.0 request, giving 
the client an HTTP/1.1 response with the expected TRACE data. I guess this 
means that iPlanet servers may be marginally less vulnerable...)

Enough about WhiteHat's specific exploits; it's quite conceivable that other 
objects, plugins, etc., might behave worse than those currently discussed.[2]

> System administrators should most definitely not waste their precious time
> on implementing the silly workarounds suggested, such as disabling
> TRACE/TRACK requests. The one, and only, impact the discovery from WhiteHat
> Security has is that it re-enables cookie reading from JS despite if you had
> already cared to specifically alter your webapplication to accomodate this.

4) There's been debate for some time in the web app development community
about the merits of cookies vs HTTP authentication (RFC 2617). Much of the
criticism of cookie-based authentication schemes has been how easy it is to
access cookie contents in client-side scripting; here we have a way of
accessing HTTP authentication info (cleartext passwords![0]) using those
same client-side scripting attack techniques. And admins who thought their 
systems were safe from XSS because they chose not to use cookies are now, 
unfortunately, quite wrong.

5) Microsoft.XMLHTTP is an intersting bit of code. It can be used to send 
POST requests, too[1], which, combined with the fact that you can tie an 
XMLHTTP.send() to a javascript event handler, means you can tie these 
attacks to something as simple as mousing over an image. That has 
implications both for XST and good old Cross-Site Request Forgery (CSRF)
attacks. Shoot, with my IE5 I've been able to tie POST requests to onLoad() 
handlers in BODY tags. Ick. Anyhow, these exploit code here should serve as 
a warning to developers that "HTTP Request Enabling Technology" may make 
CSRF attacks easier for the black hats to undertake, XST/TRACE issues 
notwithstanding. :-(

Bottom line, if http server admins can prevent their systems from responding
to TRACE requests with three lines in the config file, why not?

Speaking of which:

Apache: I'd suggest something more like
   RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST)$
so that only the desired methods are accepted.

Netscape/iPlanet/SunONE: hacking the vendor's compiled DLL? Ick. I was
unable to use obj.conf and NSAPI code to disable unwanted methods in iPlanet
Web Server 4.1, but was able to prevent TRACE from echoing certain headers.  
C source code is included with this message that can be used to prevent iWS 
from echoing the Cookie and Authorization headers. Use at your own risk, no 
warranty, etc., etc.

-Peter

[0] Message Digest authentication would not result in disclosing cleartext 
passwords, but in my experience, sites that have used HTTP authentication 
have chosen to use Basic authentication (for a number of reasons), so XST 
attacks are particularly nasty against these sites.

[1] http://support.microsoft.com/support/kb/articles/Q290/5/91.asp

[2] As WhiteHat notes, there are several ways that a client might be tricked
into making additional, arbitrary HTTP/HTTPS requests. We could argue about
where the domain check should happen: the plugin code, the applet security
manager, the browser itself, etc. And what the check should be: should code
in http://isp.example.net/~someuser/mypages/ be able to TRACE a request to
http://isp.example.net/webmail/otheruser/INBOX & read the Authorization
data? But the important thing is that WhiteHat has shown the risks of
allowing TRACE requests -- if you don't need TRACE, then disable it.
Reducing the number of attack vectors is always a good idea.

-- 
Peter Watkins - peterw@tux.org - peterw@usa.net - http://www.tux.org/~peterw/ 
Private personal mail: use PGP key F4F397A8; more sensitive data? Use 2D123692