| It was reported to the security team that Jenkins is allowing the TRACE method by default. For the background, the TRACE method is used to debug an application because its objective is simple, the reponse will contain the request in its entirety, including the httpOnly cookies sent. Triggered by JavaScript, it was possible to achieve a XST (cross-site tracing) allowing the JavaScript code to have access to something it should not have access to. I especially wrote a "was" because it was the case in 2003 when the vulnerability was discovered by Jeremiah Grossman. Initially it was to exploit the new (at that time) httpOnly tag on cookie that Microsoft created. Nowadays, the browsers do not allow JavaScript to generate HTTP request with TRACE method. The only way you have to generate TRACE request is to use either Java Applet or Flash, meaning you are already in a deeper problematic situation. If you need at all cost to enable Applets / Flash, you can simply use a rule in your firewall, waf, reverse proxy to prevent the TRACE method to happen on your production system. |
