Cross Site Tracing (XST) are one of the most prevalent threats in the Internet today. The surprising fact is that even though developers are somewhat familiar with other attack vectors, XSS (Cross site scripting), SQLi (SQL injection) and others, relatively few seem to know what XST is.
XST uses the HTTP TRACE functionality which is basically the output containing the request and response headers and any associated HTML. A web server which supports this functionality and has it enabled, will reply back with the header data and the HTML. TRACE was designed for debugging HTTP servers. When the server receives a TRACE request, it is supposed to respond by echoing back all the content of the request, which includes the cookie information.
It is common knowledge that cookies are transported over the Internet via HTTP headers and hence if you can view the headers you can have a chance at gleaning off information from the cookie and gaining access to a session which relies on cookies to keep track of a user. An attacker gets a naive user’s browser to run a script that sends a TRACE request to the target server. When the request is reflected back to the browser, the script can pull out any cookies and sent them to the attacker. This type of attack is generally used when ordinary cross-site scripting won’t work because the site uses the “HTTP Only” flag on its cookies.
For Apache versions > 1.3.34 for the legacy series, and 2.0.55 (or newer) for apache2 this can be done very easily because there is a new Apache variable that controls if TRACE method is enabled or not:
This needs to be added in the main server config and the default is enabled (on). TraceEnable off causes Apache to return a 403 FORBIDDEN error to the client.
Here’s some testing code which can help you find out if sending the web server a TRACE HTTP request provides with the header and the entire conversation.