Cross-site tracing

Cross-site tracing (short: XST or CST) is an attack on Internet users with the aim of sniffing out certain user data. A regular web server function ( HTTP-TRACE ) and security gaps in browsers make it possible for a third party to receive HTTP header information. This attack occurs particularly in connection with cross-site scripting .

Unlike a normal cross-site scripting attack, however, a cross-site tracing attack is not limited to the same document or the same web server; any web server can be used to access the victim's user data on any website reach. This fact makes this type of attack particularly dangerous, since in principle an attack on the user data of any other website is possible from any website that a user visits.

Details

An HTTP TRACE request corresponds to a GET request, with the difference that the web server returns the entire request sent to it as an echo to the client. A script executed on the client side can send a TRACE request and intercept all information sent to the web server (including all HTTP header fields, including authentication data , cookies, etc.) that are of interest to the attacker.

Such an attack can circumvent security measures such as the HttpOnlyparameter introduced by Microsoft in HTTP cookies and even encrypted transmissions (such as HTTPS ).

Since cross-site scripting is one of the most common vulnerabilities in web applications, cross-site tracing is primarily associated with it. However, in theory, all client-side protocols are suitable for this attack if they can be used to create HTTP requests. In addition to JavaScript and JScript, this also includes VBScript, Flash (Actionscript), Java, ActiveX and others.

example

A user is lured to an HTML page prepared by the attacker.
The page contains JavaScript code that sends a TRACE request to a website from which the attacker wants to obtain the user's cookie data.
The server sends the client's request including cookies back to the client, where it is evaluated by the JavaScript code.
The JavaScript script filters out the cookies and sends them to the attacker.

protection

All web servers that support the TRACE method open up this possibility of attack. They can be prevented by deactivating the TRACE support on the web server side for requests to this web server.

On the client side, all forms of cross-site scripting can be prevented by deactivating JavaScript support (Active Scripting). However, this comes at the price that many pages can no longer be used as expected.

Web links

Description of the HTTP TRACE request method of the RFC 2616 specification (HTTP 1.1) (English)
Jeremiah Grossman: Cross-Site Tracing (XST). (PDF; 767 kB) White Hat Security, January 20, 2003, accessed on May 23, 2008 .

Individual evidence

^ Microsoft. Mitigating Cross-site Scripting With HTTP-only Cookies
↑ OWASP project: Top 10 2017 (English), checked November 30, 2018

[1] Microsoft. Mitigating Cross-site Scripting With HTTP-only Cookies

[2] OWASP project: Top 10 2017 (English), checked November 30, 2018