Cross Site Tracing
Thank you for visiting OWASP.org. We recently migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done.
This is an example of a Project or Chapter Page.
A Cross-Site Tracing (XST) attack involves the use of Cross-site Scripting (XSS) and the TRACE or TRACK HTTP methods. According to RFC 2616, “TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information.”, the TRACK method works in the same way but is specific to Microsoft’s IIS web server. XST could be used as a method to steal user’s cookies via Cross-site Scripting (XSS) even if the cookie has the “HttpOnly” flag set and/or exposes the user’s Authorization header.
An example using cURL from the command line to send a TRACE request to a web server on the localhost with TRACE enabled. Notice how the web server responds with the request that was sent to it.
$ curl -X TRACE 127.0.0.1 TRACE / HTTP/1.1 User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5 Host: 127.0.0.1 Accept: */*
In this example notice how we send a Cookie header with the request and it is also in the web server’s response.
$ curl -X TRACE -H "Cookie: name=value" 127.0.0.1 TRACE / HTTP/1.1 User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5 Host: 127.0.0.1 Accept: */* Cookie: name=value
In this example the TRACE method is disabled, notice how we get an error instead of the request we sent.
$ curl -X TRACE 127.0.0.1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>405 Method Not Allowed</title> </head><body> <h1>Method Not Allowed</h1> <p>The requested method TRACE is not allowed for the URL /.</p> </body></html>
<script> var xmlhttp = new XMLHttpRequest(); var url = 'http://127.0.0.1/'; xmlhttp.withCredentials = true; // send cookie header xmlhttp.open('TRACE', url, false); xmlhttp.send(); </script>
In Apache versions 1.3.34, 2.0.55 and later, set the TraceEnable directive to “off” in the main configuration file and then restart Apache. See TraceEnable for further information.
Related Threat Agents
- Cross-Site Tracing (XST): http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
- Testing for HTTP Methods and XST (OWASP-CM-008)
- OSVDB 877
- XSS: Gaining access to HttpOnly Cookie in 2012
- Mozilla Bug 302489
- Mozilla Bug 381264