Cross-Site Tracing (XST) vulnerability

CAPEC-107 OWASP 2013-A1 OWASP 2017-A1 WSTG-CONF-06 WASC-14 CWE-200 CAPEC-107

A Cross-Site Tracing (XST) attack involves the use of Cross-site Scripting (XSS). It uses the TRACE or TRACK HTTP methods. TRACE allows the client to see what is being received at the other end of the request chain. It is then used for testing or diagnostic information. The TRACK method is only applicable to Microsoft’s IIS web server. XST could be used as a method to steal user’s cookies via Cross-site Scripting (XSS). This will even work if the cookie has the “HttpOnly” flag set and/or exposes the user’s Authorization header.

This site allows an attacker to inject malicious code into the link and implement HTTP TRACE method. By this method, the attacker can steal user’s cookies via Cross-site Scripting (XSS). Cross-site Scripting (XSS) is a client-side code injection attack. Using this technique, an attacker can execute malicious scripts into a legitimate website or web application.

Example

        $ curl -X TRACE 127.0.0.1
        TRACE / HTTP/1.1
        User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
        Host: 127.0.0.1
        Accept: */*

    

Impact

The issues include:-

  • Data corruption
  • Data Breach
  • A complete shutdown of the server

Mitigation / Precaution

Beagle recommends the following:-

  • PUT, DELETE, CONNECT and TRACE methods must be disabled on your Web server. These functions are a potential security risk.

Latest Articles