Security experts are cautioning systems administrators not to overreact to news of a newly discovered attack that under some circumstances can compromise users HTTP authentication credentials.
News of the attack began spreading earlier this week after a security company posted on its Web site a white paper detailing what it said was months of research into the technique. The attack is closely related to the well-known class of attacks known as cross-site scripting and takes advantage of a request method called TRACE used by browsers to communicate with Web servers and is turned on by default in most Web servers.
The request method is typically used in debugging Web servers and simply returns to the requesting machine the HTTP header fields that were sent to it. However, by using this feature in combination with scripting languages such as JavaScript and known vulnerabilities in Web browsers, an attacker could obtain information such as a users authentication credentials. To do so, the attacker would simply need to send a TRACE request from the users browser to a site where the user has registered, and the data sent back in the HTTP header could include sensitive log-on information.
Many of the same pre-existing conditions are also needed to complete a cross-site scripting attack, which also requires the presence of a vulnerable dynamic HTML page on the target site. Cross-site tracing, as this new attack is called, doesnt need such a page.
The attack was developed by White Hat Security Inc., of Santa Clara, Calif.
“All the boojah and fuss about not requiring an actual [cross-site scripting vulnerability] in the Web application or being able to impose [cross-site scripting] on arbitrary foreign domains, factors that would indeed be a cause of concern, is utterly and completely unrelated to the findings of White Hat Security,” Thor Larholm, a senior security researcher at PivX Solutions LLC, wrote in a message on the BugTraq mailing list. “These are mere demonstrations of already publicly known unpatched vulnerabilities in Internet Explorer. In short, snake oil.”
But some security researchers see the attack as a legitimate problem.
“Rather than a single CGI [Common Gateway Interface] being vulnerable to cross-site scripting, now the entire server is vulnerable, regardless of its actual contents,” Rain Forest Puppy, a security expert and one of the moderators of the VulnWatch mailing list, wrote in a post to the list. “Of course, the actual severity of cross-site scripting is still a thing of myth and guesstimation. Exploitation is still a feat of luck and social engineering.”
Other experts say that the issue is difficult to exploit and the attack relies on a complex combination of factors for success.
“The full extent and implications of this new cross-site tracing vulnerability will take some time to fully understand, especially since some of the most complex vulnerabilities are found in Web browser technology. However, this is an important discovery of a new wrinkle in Web security with serious implications,” said Steven Christey, lead information security engineer at The Mitre Corp., in Bedford, Mass., and one of the creators of the Common Vulnerabilities and Exposures database. “I have not heard many reports of security incidents that involved vulnerabilities like cross-site tracing and cross-site scripting. Companies are usually very tight-lipped about providing details when a compromise occurs. Fortunately, cross-site tracing can be stopped at the server level instead of the application level, by restricting access to the TRACE method on the server. How that will impact existing Web-based software remains to be seen, but the issue touches Web servers, Web clients, and Web applications.”
Others have pointed out that the object of the attack—stealing the users cookie or credentials—is almost a superfluous exercise if youre already able to control the users browser and access the results of any requests you make with it.