[WEB SECURITY] tying sessions to IP addresses

Amit Klein (AKsecurity) aksecurity at hotpop.com
Sat Jun 10 07:57:19 EDT 2006


On 9 Jun 2006 at 10:46, Tom Stripling wrote:

> One thing to consider is that the HttpOnly restriction can be bypassed
> if the server has the TRACE method enabled, or at least it used to be
> possible:
> 
> http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
> 
> This paper is pretty old, though.  I played with it some recently and
> current versions of IE and Firefox appeared to prevent the attack.  Has
> anyone verified recently that this attack still works?  It certainly
> continues to show up on scans as a vulnerability.

Well:

1. There are many ways to bypass the HttpOnly restriction, see
http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00025.html

2. As for the TRACE method being disabled in IE 6.0 SP2, it's easy to bypass
by specifying the method "\r\nTRACE" (in the XHR object), as menioned in:
http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00051.html

-Amit



----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list