Cross-Site Tracing (XST) attacks

A common pattern in Cross Site Scripting attacks requires to access to a victim's document.cookie object in order to hijack their session information. A common countermeasure is to tag the cookies that store session data as HttpOnly so they can be read only by the server side of the web app. That way it's possible to prevent a malicious script from reading the session cookie even if it had fully access to document.cookie.

Cross-Site Tracing (XST) attacks were originated in order to circumvent the HttpOnly countermeasure described previously. They relied in a not very well known HTTP method called TRACE.

HTTP TRACE is used mostly for debugging purposes. It returns back to the client the whole string that was sent to the server, the problem is that it also returned the value containing the HttpOnly cookie. Then the attacker could easily perform a client side AJAX request in order to read the session data.

In order to prevent XST attacks, modern browsers prevent TRACE requests from being performed via Javascript and also web servers disable this method by default returning a 405 (Method Not Allowed) code.



### Test the TRACE method

Common security scanners perform checks to determine which HTTP methods are enabled in the analyzed webserver. In addition, it's pretty simple to perform a fast check just using curl, as in the following example:

$ curl -X -v TRACE http://www.myserver.com
< HTTP/1.1 405 Method Not Allowed
< Date: Thu, 23 Jul 2015 19:21:35 GMT
< Server: Apache/2.4.7
< Allow: 
< Content-Length: 297
< Content-Type: text/html; charset=iso-8859-1


### Reference

Cross Site Tracing