[WEB SECURITY] tying sessions to IP addresses

Amit Klein (AKsecurity) aksecurity at hotpop.com
Sat Jun 10 07:57:19 EDT 2006

On 9 Jun 2006 at 10:46, Tom Stripling wrote:

> One thing to consider is that the HttpOnly restriction can be bypassed
> if the server has the TRACE method enabled, or at least it used to be
> possible:
> http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
> This paper is pretty old, though.  I played with it some recently and
> current versions of IE and Firefox appeared to prevent the attack.  Has
> anyone verified recently that this attack still works?  It certainly
> continues to show up on scans as a vulnerability.


1. There are many ways to bypass the HttpOnly restriction, see

2. As for the TRACE method being disabled in IE 6.0 SP2, it's easy to bypass
by specifying the method "\r\nTRACE" (in the XHR object), as menioned in:


The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list