Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: Is this exploitable?..
From: Benjamin Livshits (livshitscs.stanford.edu)
Date: Thu Dec 16 2004 - 14:14:11 CST
What worries me is a scenario in which parts of the HTTP request are
somehow malicious. I.e. as is the case for XSS, if responseString is set
printed back to the browser verbatim.
Coming up with an exploit scenario is the difficulty, though.
> -----Original Message-----
> From: Peter Conrad [mailto:conradtivano.de]
> Sent: Thursday, December 16, 2004 7:54 AM
> To: webappsecsecurityfocus.com
> Cc: Benjamin Livshits
> Subject: Re: Is this exploitable?..
> Am Mittwoch, 15. Dezember 2004 23:42 schrieb Benjamin Livshits:
> > It looks like responseString obtained from req is forgeable
> and this
> > may conceivably lead to a vulnerability down the line, it
> seems, when
> > responseString is output with a call to out.print(responseString).
> please explain in what way the responseString is "forgeable".
> Yes, it does include all the original request headers. That's
> the point of a TRACE request.
> out.print() will write the *body* of the response, if that's
> what worries you.
> Peter Conrad Tel: +49 6102 / 80 99 072
> [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071
> Bahnhofstr. 18 http://www.tivano.de/
> 63263 Neu-Isenburg