Random thoughts on Penetration Testing, Security Code Review and some other stuff !
Wednesday, September 18, 2013
ASP.Net Trace.axd, a gold mine of information !
What is Trace.axd ?
Trace.axd is an HTTP Handler that allows access to trace information of current requests. Some sort of phpinfo() with focus on requests details.
This is not a new issue and has been known for a very long time, you can find it mentioned in the excellent article about ASP.Net assessment in HITB number 009.
I'm writing this post however to highlight the impact access to this page could have.
How to discover the vulnerability ?
Simply accessing Trace.axd?id=0, the id is the number of the buffered request, the number of stored requests depends on the server configuration.
If you access a very high number, you'll simply be redirected to a page referencing all buffered requests.
The less known fact is that tracing is not limited to Trace.axd, but can be enabled per page and accessed using the following parameter:page.aspx?displayTraceInfo=true
I didn't find any mention of this parameter in the MSDN, but you could find references of it in stackoverflow. It is also worth mentioning that I'm not aware of any vulnerability scanner that checks for this parameter, while most checks for Trace.axd.
Per page tracing is enabled using the following attribute:
<%@ Page Trace="true" %>
Global tracing is enabled using the following parameter in web.config configuration file:
< trace enabled="true" /> </System.Web>
What's the impact ?
The real risk of Trace.axd compared to phpinfo() for instance, is that you can access the trace of other user's requests, this means accessing session information, query parameters, like username and password.
Another impact is accessing internal information on the application, like file paths, and SQL queries, which could help in discovering hidden content or assist in the identification and exploitation of tricky injection attacks.
Using some very simple goolg-fu, you can find several vulnerable web application, allowing session hijacking, clear-text password retrieval. An attacker can even write a simple script that would keep polling the Trace.axd?id=0 to retrieve session identifier in real time.