- Not in OWASP Testing Guide, but should be under WSTG-INPV
- OWASP documentation on XST
A Cross-Site Tracing (XST) attack involves the use of Cross-site Scripting (XSS) and the TRACE or TRACK HTTP methods. The TRACE method can be successfully leveraged in some scenarios to steal legitimate users’ credentials. Tagging a cookie as HttpOnly forbids JavaScript to access it, protecting it from being sent to a third party. However, the TRACE method can be used to bypass this protection and access the cookie even in this scenario.
The
OWASP Testing Guide: Test HTTP MethodsTRACEmethod (or Microsoft’s equivalentTRACKmethod) causes the server to echo back the contents of the request. This lead to a vulnerability called Cross-Site Tracing (XST) being published in 2003 (PDF), which could be used to access cookies that had theHttpOnlyflag set. TheTRACEmethod has been blocked in all browsers and plugins for many years, and as such this issue is no longer exploitable. However, it may still be flagged by automated scanning tools, and theTRACEmethod being enabled on a web server suggests that is has not been properly hardened.
Examples
curl -X TRACE 127.0.0.1
TRACE / HTTP/1.1
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
Host: 127.0.0.1
Accept: */*curl -X TRACE -H "Cookie: name=value" 127.0.0.1
TRACE / HTTP/1.1
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
Host: 127.0.0.1
Accept: */*
Cookie: name=valueExample JavaScript XMLHttpRequest TRACE request. In Firefox 19.0.2 it will not work and return a “Illegal Value” error. In Google Chrome 25.0.1364.172 it will not work and return a “Uncaught Error: SecurityError: DOM Exception 18” error. This is because modern browsers now block the TRACE method in XMLHttpRequest to help mitigate XST.
<script>
var xmlhttp = new XMLHttpRequest();
var url = 'http://127.0.0.1/';
xmlhttp.withCredentials = true; // send cookie header
xmlhttp.open('TRACE', url, false);
xmlhttp.send();
</script>