CAPEC-107: Cross Site Tracing
Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to a destination system's web server.
Last updated
Overview
The adversary uses an XSS attack to have victim's browser sent an HTTP TRACE request to a destination web server, which will proceed to return a response to the victim's web browser that contains the original HTTP request in its body. Since the HTTP header of the original HTTP TRACE request had the victim's session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the adversary's malicious site. XST becomes relevant when direct access to the session cookie via the "document.cookie" object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST. If the system with which the victim is interacting is susceptible to XSS, an adversary can exploit that weakness directly to get their malicious script to issue an HTTP TRACE request to the destination system's web server.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Determine if HTTP Trace is enabled] Determine if HTTP Trace is enabled at the web server with which the victim has an active session
- An adversary may issue an HTTP Trace request to the target web server and observe if the response arrives with the original request in the body of the response.
- Step 2Experiment
[Identify mechanism to launch HTTP Trace request] The adversary attempts to force the victim to issue an HTTP Trace request to the targeted application.