CAPEC-107: Cross Site Tracing
Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to a destination system's web server.
Last updated
Overview
The adversary uses an XSS attack to have victim's browser sent an HTTP TRACE request to a destination web server, which will proceed to return a response to the victim's web browser that contains the original HTTP request in its body. Since the HTTP header of the original HTTP TRACE request had the victim's session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the adversary's malicious site. XST becomes relevant when direct access to the session cookie via the "document.cookie" object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST. If the system with which the victim is interacting is susceptible to XSS, an adversary can exploit that weakness directly to get their malicious script to issue an HTTP TRACE request to the destination system's web server.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Determine if HTTP Trace is enabled] Determine if HTTP Trace is enabled at the web server with which the victim has an active session
- An adversary may issue an HTTP Trace request to the target web server and observe if the response arrives with the original request in the body of the response.
- Step 2Experiment
[Identify mechanism to launch HTTP Trace request] The adversary attempts to force the victim to issue an HTTP Trace request to the targeted application.
- The adversary probes for cross-site scripting vulnerabilities to force the victim into issuing an HTTP Trace request.
- Step 3Exploit
[Create a malicious script that pings the web server with HTTP TRACE request] The adversary creates a malicious script that will induce the victim's browser to issue an HTTP TRACE request to the destination system's web server. The script will further intercept the response from the web server, pick up sensitive information out of it, and forward to the site controlled by the adversary.
- The adversary's malicious script circumvents the httpOnly cookie attribute that prevents from hijacking the victim's session cookie directly using document.cookie and instead leverages the HTTP TRACE to catch this information from the header of the HTTP request once it is echoed back from the web server in the body of the HTTP TRACE response.
- Step 4Exploit
[Execute malicious HTTP Trace launching script] The adversary leverages an XSS vulnerability to force the victim to execute the malicious HTTP Trace launching script
- Step 5Exploit
[Intercept HTTP TRACE response] The adversary's script intercepts the HTTP TRACE response from teh web server, glance sensitive information from it, and forward that information to a server controlled by the adversary.
What the attacker needs
Prerequisites
- HTTP TRACE is enabled on the web server
- The destination system is susceptible to XSS or an adversary can leverage some other weakness to bypass the same origin policy
- Scripting is enabled in the client's browser
- HTTP is used as the communication protocol between the server and the client
Skills required
- Medium skill: Understanding of the HTTP protocol and an ability to craft a malicious script
Resources required
- None: No specialized resources are required to execute this type of attack.
Consequences
What a successful CAPEC-107 attack can achieve.
Read Data
Affects: Confidentiality
Gain Privileges
Affects: Confidentiality, Access Control, Authorization
Modify Data
Affects: Integrity
How to mitigate it
Defenses that reduce the risk of CAPEC-107.
- Administrators should disable support for HTTP TRACE at the destination's web server. Vendors should disable TRACE by default.
- Patch web browser against known security origin policy bypass exploits.
Examples
An adversary determines that a particular system is vulnerable to reflected cross-site scripting (XSS) and endeavors to leverage this weakness to steal the victim's authentication cookie. An adversary realizes that since httpOnly attribute is set on the user's cookie, it is not possible to steal it directly with their malicious script. Instead, the adversary has their script use XMLHTTP ActiveX control in the victim's IE browser to issue an HTTP TRACE to the target system's server which has HTTP TRACE enabled. The original HTTP TRACE request contains the session cookie and so does the echoed response. The adversary picks the session cookie from the body of HTTP TRACE response and ships it to the adversary. The adversary then uses the newly acquired victim's session cookie to impersonate the victim in the target system. In the absence of an XSS weakness on the site with which the victim is interacting, an adversary can get the script to come from the site that they control and get it to execute in the victim's browser (if they can trick the victim's into visiting their malicious website or clicking on the link that they supplies). However, in that case, due to the same origin policy protection mechanism in the browser, the adversary's malicious script cannot directly issue an HTTP TRACE request to the destination system's web server because the malicious script did not originate at that domain. An adversary will then need to find a way to exploit another weakness that would enable them to circumvent the same origin policy protection.
Terminology & mappings
Mapped taxonomies
- OWASP Attacks: Cross Site Tracing
Frequently asked questions
Common questions about CAPEC-107.
- What is CAPEC-107?
- Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to a destination system's web server.
- How does a Cross Site Tracing attack work?
- It typically unfolds over 5 phases. It begins with: [Determine if HTTP Trace is enabled] Determine if HTTP Trace is enabled at the web server with which the victim has an active session
- How do you prevent CAPEC-107?
- Administrators should disable support for HTTP TRACE at the destination's web server. Vendors should disable TRACE by default.
- What weaknesses does CAPEC-107 target?
- CAPEC-107 exploits 2 CWE weaknesses, including CWE-648 (Incorrect Use of Privileged APIs), CWE-693 (Protection Mechanism Failure).
- How severe is CAPEC-107?
- MITRE rates CAPEC-107 as Very High severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-107
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.