I just finished reading this so-called whitepaper and the press release, and all I can say is hyped, sensationalised snakeoil. The HttpOnly cookie feature, a proprietary Microsoft extension designed to mitigate a single aspect of XSS, can be circumvented in myriads of ways. In fact, reading the HTTP response in any other way than through the document.cookie property immediately exposed through JS will return the cookie to you. Calling from JS to a Java applet that in turn parses a HTTP response, using a Flash movie (or most any other plugin) or even needlessly complicating matters by parsing the BODY of a TRACE response received through XMLHTTP - such as this 'whitepaper' suggests. By design, HttpOnly makes the cookie available only through the HTTP headers - which, among many others, the XMLHTTP control can read. What we end up with from WhiteHat Security is a way to circumvent the HttpOnly cookie feature in IE6SP1, nothing else. In itself, worthy of a note in a roundup of browser problems or a comment in a reply to the posting announcing the HttpOnly feature on Bugtraq - but hardly a whitepaper, pressrelease and blurbs such as comparing this to Code Red and Nimda or calling this a flaw in all web servers worldwide. This is simply not "a new class of web-app-sec attack" or a flaw in TRACE, as hyped by WhiteHat Security. System administrators should most definitely not waste their precious time on implementing the silly workarounds suggested, such as disabling TRACE/TRACK requests. The one, and only, impact the discovery from WhiteHat Security has is that it re-enables cookie reading from JS despite if you had already cared to specifically alter your webapplication to accomodate this. All the boojah and fuss about not requiring an actual XSS in the webapplication or being able to impose XSS on arbitrary foreign domains, factors that would indeed be a cause of concern, is utterly and completely unrelated to the findings of WhiteHat Security. These are mere demonstrations of already publicly known unpatched vulnerabilities in Internet Explorer ( of which there are currently 19 - http://www.pivx.com/larholm/unpatched/ ). WhiteHat Security paired a minor low-impact notice of their own with existing proof-of-concept code from several critical high-impact vulnerabilities discovered, and long disclosed, by thirdparty researchers, dubbed it their own and wrote up a fancy press release filled with inaccuracies announcing a indifferent 'whitepaper' scathered with obscure irrelevancies. In short, snakeoil. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher Latest PivX research: Multi-vendor Game Server DDoS Vulnerability http://www.pivx.com/press_releases/mk_mk001.html -----Original Message----- From: Jeremiah Grossman [mailto:jeremiah@whitehatsec.com] Sent: 22. januar 2003 21:33 To: bugtraq@securityfocus.com; webappsec@securityfocus.com; vulnwatch@vulnwatch.org Subject: TRACE used to increase the dangerous of XSS. WhiteHat Security has released a new white paper discussing a new class of web-app-sec attack (XST) which potentially affects all web servers supporting TRACE. The white paper explains all the detailed technical results we have found so far. We are fairly certain this particular issue will spark much debate and encourage those interested to read and comment. White Paper Mirrors: http://www.betanews.com/whitehat/WH-WhitePaper_XST_ebook.pdf http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf http://www.boarder.org/WH-WhitePaper_XST_ebook.pdf http://www.forumgalaxy.com/whmirror/WhitePaper_screen.pdf Press Release http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt
