[WEB SECURITY] tying sessions to IP addresses

Ryan Barnett rcbarnett at gmail.com
Sat Jun 10 09:33:22 EDT 2006

On 6/10/06, Amit Klein (AKsecurity) <aksecurity at hotpop.com> wrote:
> On 9 Jun 2006 at 10:46, Tom Stripling wrote:
> > One thing to consider is that the HttpOnly restriction can be bypassed
> > if the server has the TRACE method enabled, or at least it used to be
> > possible:
> >
> > http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
> >
> > This paper is pretty old, though.  I played with it some recently and
> > current versions of IE and Firefox appeared to prevent the attack.  Has
> > anyone verified recently that this attack still works?  It certainly
> > continues to show up on scans as a vulnerability.
> Well:
> 1. There are many ways to bypass the HttpOnly restriction, see
> http://www.webappsec.org/lists/websecurity/archive/2006-05/msg00025.html

In the referenced link, it mentions the use of demo/test scripts to possibly
get access to authentication credentials.  You are correct in that scripts
like printenv, test-cgi will dump the CGI ENV tokens and it will indeed
display the SessionID/Cookie contents.  As for Basic Auth, the browser will
show the REMOTE_USER portion of Basic Auth credentials so the username would
be exposed.


2. As for the TRACE method being disabled in IE 6.0 SP2, it's easy to bypass
> by specifying the method "\r\nTRACE" (in the XHR object), as menioned in:
> http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00051.html
> -Amit
> ----------------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/

Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
Author: Preventing Web Attacks with Apache
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060610/3f1509ce/attachment.html>

More information about the websecurity mailing list