Cross-Site Tracing (XST) attacks
A common pattern in Cross Site Scripting attacks requires to access to a victim's
document.cookie object in order to hijack their session information. A common countermeasure is to tag the cookies that store session data as
HttpOnly so they can be read only by the server side of the web app. That way it's possible to prevent a malicious script from reading the session cookie even if it had fully access to
Cross-Site Tracing (XST) attacks were originated in order to circumvent the
HttpOnly countermeasure described previously. They relied in a not very well known HTTP method called
TRACE is used mostly for debugging purposes. It returns back to the client the whole string that was sent to the server, the problem is that it also returned the value containing the
HttpOnly cookie. Then the attacker could easily perform a client side AJAX request in order to read the session data.
In order to prevent XST attacks, modern browsers prevent
405 (Method Not Allowed) code.
### Test the TRACE method
Common security scanners perform checks to determine which HTTP methods are enabled in the analyzed webserver. In addition, it's pretty simple to perform a fast check just using curl, as in the following example:
$ curl -X -v TRACE http://www.myserver.com
< HTTP/1.1 405 Method Not Allowed < Date: Thu, 23 Jul 2015 19:21:35 GMT < Server: Apache/2.4.7 < Allow: < Content-Length: 297 < Content-Type: text/html; charset=iso-8859-1