Cross Site Tracing (XST)

A Cross-Site Tracing (XST) attack involves the use of Cross-site Scripting (XSS) and the TRACE or TRACK HTTP methods. The TRACE method can be successfully leveraged in some scenarios to steal legitimate users’ credentials. Tagging a cookie as HttpOnly forbids JavaScript to access it, protecting it from being sent to a third party. However, the TRACE method can be used to bypass this protection and access the cookie even in this scenario.

The TRACE method (or Microsoft’s equivalent TRACK method) causes the server to echo back the contents of the request. This lead to a vulnerability called Cross-Site Tracing (XST) being published in 2003 (PDF), which could be used to access cookies that had the HttpOnly flag set. The TRACE method has been blocked in all browsers and plugins for many years, and as such this issue is no longer exploitable. However, it may still be flagged by automated scanning tools, and the TRACE method being enabled on a web server suggests that is has not been properly hardened.

OWASP Testing Guide: Test HTTP Methods

Examples

curl -X TRACE 127.0.0.1
TRACE / HTTP/1.1
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
Host: 127.0.0.1
Accept: */*
curl -X TRACE -H "Cookie: name=value" 127.0.0.1
TRACE / HTTP/1.1
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
Host: 127.0.0.1
Accept: */*
Cookie: name=value

Example JavaScript XMLHttpRequest TRACE request. In Firefox 19.0.2 it will not work and return a “Illegal Value” error. In Google Chrome 25.0.1364.172 it will not work and return a “Uncaught Error: SecurityError: DOM Exception 18” error. This is because modern browsers now block the TRACE method in XMLHttpRequest to help mitigate XST.

<script>
  var xmlhttp = new XMLHttpRequest();
  var url = 'http://127.0.0.1/';

  xmlhttp.withCredentials = true; // send cookie header
  xmlhttp.open('TRACE', url, false);
  xmlhttp.send();
</script>