Update: Nevermind… it’s all a mistake (refer to the comments for details). While TRACE is enabled, the cookies are not sent. The world is still safe.

I’ve spent a good chunk of today working with Jerimiah regarding the XST (cross site trace) issue he has resurrected from the dead. Yes, this is the same old attack from the 2002 era and it’s back to haunt us. Pretty much every browser technology has gone ahead and broken this for us, including JavaScript and Flash. The one that didn’t, however, is Java. Yup, good old fashioned Java. Java can be instantiated from JavaScript space, so Jeremiah was able to concoct a rather nasty and fairly buggy example of how you can get sites with TRACE enabled to give up HTTPOnly cookies, or other things hidden in the HTTP protocol. So yes, I have to eat my words on the fact that TRACE isn’t a problem - it is again.

So now the next question is how do you patch against it. So, yah, Apache has not made this easy _at all_. I spent at least half an hour combing through old ways to do it using mod_rewrite and no, they do not work (at least for me on apache 2.x). Your mileage may vary. Mod_security is an option if you trust it not to break your website (in my case it almost certainly would without turning almost everything off). Also a nice little re-compile is also possible, but given that an XSS is necessary in the site for this to work (or some other browser bug perhaps) I’m not sure in my particular case it’s worth patching. Others? Yah, it’s worth it. Also, worthy of note, I had a really hard time getting his exploit to work. It did work in Firefox in safe mode, but I had problems with plugins, and no luck with IE at all. Anyway, it’s aliiiiive! Good work by Jeremiah!

This entry was posted on Monday, April 30th, 2007 at 3:12 pm and is filed under XSS, Webappsec. You can leave a response as well.