hiredhacker.com

I was looking over some of Mozilla’s XMLHTTPRequest code, and noticed this snippet at nsXMLHttpRequest.cpp:915

// Disallow HTTP/1.1 TRACE method (see bug 302489)
// and MS IIS equivalent TRACK (see bug 381264)
if (method.LowerCaseEqualsASCII("trace") ||
method.LowerCaseEqualsASCII("track")) {
return NS_ERROR_INVALID_ARG;
}

Which lead me to do:

var xhr = new XMLHttpRequest();
xhr.open('%trace', '/',false);
xhr.send('');
alert(xhr.responseText);

When I was testing I was using Paros proxy and strangely enough the request worked. Turns out Paros drops the % and sends it along. Does anyone know of any other proxies that behave similarly?

You can test it out here: method_bypass.html

Update: Depending on the logging level, Squid (and possibly others) will display all header information on some errors. The above request will be treated as an invalid request and as such will echo back everything.

I had some free time today and after about 10 minutes of poking around AOL’s web services, I came to the conclusion that their developers have no concept of security. Every AOL domain I looked at had multiple XSS holes on basically every page. They ranged from random subdomains like:

http://autos.aol.com/
http://finance.aol.com/

To more serious domains like:

http://webmail.aol.com/ (need to be logged in)
https://account.login.aol.com/

To the really bad:

https://my.screenname.aol.com/

Access to all of AOL’s web services requires only 2 cookies, SNS_AA from aol.com, and SNS_SKWAT from screenname.aol.com. The only positive thing I ran into is the fact they require you to answer a security question to access account management functions.

Oh! I almost forgot, they also made a feeble attempt at blocking a select number of javascript functions and attributes. For example, this is blocked:

alert(document.cookie)

But this isn’t:

x=document;alert(x.cookie);