In January 2003, Jeremiah Grossman released the HttpOnly cookie circumvention method. He called it Cross-Site Tracing (XST), involuntarily starting a trend of attaching “cross-site” to as many web vulnerabilities as possible.
Not confused yet?
First, take a look at XSS. XSS vulnerabilities that are better described as HTML injections arise because the web application reflects the attacker’s payload in the HTTP response body – HTML.
So, XST is not about embedding the tags <script> in the browser; the attacker should already be able to do this.
var xhr = new XMLHttpRequest(); xhr.open('TRACE', 'http://test.lab/', false); xhr.send(null); if(200 == xhr.status) alert(xhr.responseText);
The following image shows one of the possible answers. Pay attention to the text in red. The browser added the Authorization and Cookie headers to the XHR query which were reflected by the server:
According to RFC 2616, “TRACE allows the client to see what is being obtained at the other end of the query chain and use this data for testing or diagnostic information”. The TRACK method works in the same way, but is specific to Microsoft IIS. XST can be used as a method to steal user cookies using cross-site scripts (XSS), even if the cookie has the HttpOnly flag and/or the user authorization header displayed.
Below is another example of how cURL can be used to form a header:
$ curl -X TRACE -H "X-Header: test" foo.com TRACE / HTTP/1.1 User-Agent: curl/7.24.0 Host: foo.com Accept: */* X-Header: test
As you can see, he just sends the header back. The problem is that TRACE will display all the information you send to the server, including cookies and web authentication strings, as they are also just headers.
<script> var xmlhttp = new XMLHttpRequest(); var url = 'http://foo.com/'; xmlhttp.withCredentials = true; // send cookie header xmlhttp.open('TRACE', url, false); xmlhttp.send(); xmlDoc=xmlHttp.responseText; alert(xmlDoc); </script>
Although this will no longer work in modern browsers, I still think it is important to know that even something seemingly harmless such as the TRACE method can be used as an exploit.
After Microsoft issued a press release describing the HTTPOnly patch to protect against XSS, hackers found a way to circumvent HTTPOnly and conduct XSS attacks on a larger scale. A typical XST attack can begin when a careless Internet user visits a site hosted on a compromised server. The server sends the script code to the victim’s computer. The victim computer sends a TRACE HTTP request to another site that has recently visited the victim computer. The second site then sends cookies or other authentication data to the compromised server and thus makes the data available to the attacker.
- Remove known domain restriction circumvention weaknesses in browsers.
- Disabling or disabling the TRACE request method in production and development (unless
- required) web servers.
- Web server providers must update their web server packages to disable TRACE by default.
- Web server providers should inform their users how to disable or disable TRACE on existing web servers.
- ActiveX elements that support arbitrary HTTP requests should be marked as unsafe by default.
- Users should be able to disable all active scripts and increase the security of their credentials. However, this can have a negative impact on the functionality of many websites.
Since Cross-Site Tracing (XST) can be considered a retro vulnerability, the purpose of this article was to familiarize users with an interesting (in my opinion) vector of attack on web applications.