Page 207 - Hands-On Bug Hunting for Penetration Testers
P. 207
Other (Out of Scope) Vulnerabilities Chapter 12
The HTTP OPTIONS Method Enabled
HTTP supports a variety of requests outside the standard (&5, 165/1"5$), 1045, and
%&-&5& requests. 015*0/4 is a diagnostic method that can enable debugging and stack
trace data that can potentially be useful to an attacker. Although it increases your attack
surface and is something you should definitely avoid as an application developer, having
015*0/4 enabled is not a vulnerability per-se. Like other wannabe bugs that we've
discussed, it requires too many extra steps in order to demonstrate a valid attack scenario.
BEAST (CVE-2011-3389) and Other SSL-Based
Attacks
The Browser Exploit Against SSL/TLS (BEAST) attack assumes a fair degree of client-side
control, with the attacker able to inject packets in the browser's TLS stream by performing a
Man-in-The-Middle (MiTM) attack, which then allows the attacker to guess the
initialization vector involved and decrypt other information.
As the security product company, Acunetix, notes in one of its blog posts about the attack:
Itbs worth noting that for the BEAST attack to succeed, an attacker must have reasonable
control of the victimbs browser, in which case it's [sic] more probable that an easier attack
vector is chosen.
This exemplifies a couple of themes common to our no-reward staple of would-be
vulnerabilities: the vulnerability in question is one that affects the actual TLS/SSL
connection, which means it's the responsibility of the underlying tech, and not just that
particular implementation of it; it's also a bug that requires several other vulnerabilities to
be exploited, meaning that if it's present, it's not the issue that should be our greatest
concern. Both of these dynamics work to invalidate it and other SSL-based attacks as
reportable submissions.
[ 192 ]
