Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Experts Warn Against Overreacting to New Attack

    By
    Dennis Fisher
    -
    January 23, 2003
    Share
    Facebook
    Twitter
    Linkedin

      Security experts are cautioning systems administrators not to overreact to news of a newly discovered attack that under some circumstances can compromise users HTTP authentication credentials.

      News of the attack began spreading earlier this week after a security company posted on its Web site a white paper detailing what it said was months of research into the technique. The attack is closely related to the well-known class of attacks known as cross-site scripting and takes advantage of a request method called TRACE used by browsers to communicate with Web servers and is turned on by default in most Web servers.

      The request method is typically used in debugging Web servers and simply returns to the requesting machine the HTTP header fields that were sent to it. However, by using this feature in combination with scripting languages such as JavaScript and known vulnerabilities in Web browsers, an attacker could obtain information such as a users authentication credentials. To do so, the attacker would simply need to send a TRACE request from the users browser to a site where the user has registered, and the data sent back in the HTTP header could include sensitive log-on information.

      Many of the same pre-existing conditions are also needed to complete a cross-site scripting attack, which also requires the presence of a vulnerable dynamic HTML page on the target site. Cross-site tracing, as this new attack is called, doesnt need such a page.

      The attack was developed by White Hat Security Inc., of Santa Clara, Calif.

      “All the boojah and fuss about not requiring an actual [cross-site scripting vulnerability] in the Web application or being able to impose [cross-site scripting] on arbitrary foreign domains, factors that would indeed be a cause of concern, is utterly and completely unrelated to the findings of White Hat Security,” Thor Larholm, a senior security researcher at PivX Solutions LLC, wrote in a message on the BugTraq mailing list. “These are mere demonstrations of already publicly known unpatched vulnerabilities in Internet Explorer. In short, snake oil.”

      But some security researchers see the attack as a legitimate problem.

      “Rather than a single CGI [Common Gateway Interface] being vulnerable to cross-site scripting, now the entire server is vulnerable, regardless of its actual contents,” Rain Forest Puppy, a security expert and one of the moderators of the VulnWatch mailing list, wrote in a post to the list. “Of course, the actual severity of cross-site scripting is still a thing of myth and guesstimation. Exploitation is still a feat of luck and social engineering.”

      Other experts say that the issue is difficult to exploit and the attack relies on a complex combination of factors for success.

      “The full extent and implications of this new cross-site tracing vulnerability will take some time to fully understand, especially since some of the most complex vulnerabilities are found in Web browser technology. However, this is an important discovery of a new wrinkle in Web security with serious implications,” said Steven Christey, lead information security engineer at The Mitre Corp., in Bedford, Mass., and one of the creators of the Common Vulnerabilities and Exposures database. “I have not heard many reports of security incidents that involved vulnerabilities like cross-site tracing and cross-site scripting. Companies are usually very tight-lipped about providing details when a compromise occurs. Fortunately, cross-site tracing can be stopped at the server level instead of the application level, by restricting access to the TRACE method on the server. How that will impact existing Web-based software remains to be seen, but the issue touches Web servers, Web clients, and Web applications.”

      Others have pointed out that the object of the attack—stealing the users cookie or credentials—is almost a superfluous exercise if youre already able to control the users browser and access the results of any requests you make with it.

      Dennis Fisher

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×