Thursday, May 26, 2011

DISA guidance with regard to cross-site tracing?

I've been doing some reading concerning different ways to test applications, and more specifically, web applications.  The last couple of books have mentioned cross-site tracing, and how to test to see if the server could be vulnerable.  We use WebInspect on many of our tests, and I know I have seen the vulnerability come up.  But that got me thinking:  where does DISA./DoD talk about configuring the web server to turn off TRACE?  I looked through the Apache STIG (both 1.3.x and 2.x) and the IIS STIG (both IIS 5 and 6.)  I did not find any mention of the TRACE verb and how the server should be configured in the DoD's eyes.  Further, I looked in the Application Security and Development STIG, and I did not see a finding/check in that STIG either.  (I did not expect to, since the finding really is a function of the server, and not the application.)

The closest the Application Security and Development STIG comes is a discussion in the finding for cross-site scripting.  There are three checks within the cross-site scripting finding that deal directly with cross-site scripting.  The fourth check specifically discusses the HttpOnly flag being set on cookies.  However, what makes cross-site tracing a bigger risk is that it has the ability to read/steal/reveal cookies even if the cookies have the HttpOnly flag set.

A great paper on the attack is here.

So, am I missing something in a STIG or checklist?  Or, is there really no guidance on web servers for the TRACE verb?


  1. This comment has been removed by a blog administrator.

  2. This comment has been removed by a blog administrator.