Cross-site Scripting (XSS) and the TRACE or TRACK HTTP methods are used in a Cross-Site Tracing (XST) attack. The TRACK method operates in the same way as the TRACE method but is particular to Microsoft’s IIS web server, according to RFC 2616, “TRACE allows the client to view what is being received at the other end of the request chain and utilize that data for testing or diagnostic information.” Even if the cookie has the “HttpOnly” setting set or exposes the user’s Authorization header, XST might be exploited to steal the user’s cookies via Cross-site Scripting (XSS).
While the TRACE approach appears to be harmless, it can be effectively used in specific instances to obtain legitimate users’ credentials. Jeremiah Grossman developed this attack approach in 2003 while attempting to circumvent the HttpOnly tag added by Microsoft in Internet Explorer 6 sp1 to prevent JavaScript from accessing cookies. In fact, accessing the document is one of the most common attack techniques in Cross-Site Scripting. Cookie object and transfer it to an attacker-controlled web server in order to steal the victim’s session When a cookie is marked as HttpOnly, JavaScript is not allowed to access it, preventing it from being transferred to a third party. However, even in this circumstance, the TRACE technique may be used to circumvent this security and retrieve the cookie.
Modern browsers currently restrict TRACE queries from being performed using JavaScript; nevertheless, alternative methods of making TRACE requests with browsers, such as utilizing Java, have been uncovered.
An example of using cURL from the command line to make a TRACE request to a TRACE-enabled web server on localhost. Take note of how the web server handles the request that was given to it.
$ curl -X TRACE 127.0.0.1
TRACE / HTTP/1.1
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
Host: 127.0.0.1
Accept: */*In this example, observe how we include a Cookie header in both the request and the web server’s response.
$ curl -X TRACE -H "Cookie: name=value" 127.0.0.1
TRACE / HTTP/1.1
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
Host: 127.0.0.1
Accept: */*
Cookie: name=valueWhen the TRACE technique is deactivated in this example, we get an error instead of the request we provided.
$ curl -X TRACE 127.0.0.1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /.</p>
</body></html>TRACE request example in JavaScript XMLHttpRequest It will not function in Firefox 19.0.2 and will produce a “Illegal Value” error. It will not work on Google Chrome 25.0.1364.172 and will throw a “Uncaught Error: SecurityError: DOM Exception 18” error. This is because, in order to assist alleviate XST, modern browsers now block the TRACE function in XMLHttpRequest.
<script>
var xmlhttp = new XMLHttpRequest();
var url = 'http://127.0.0.1/';
xmlhttp.withCredentials = true; // send cookie header
xmlhttp.open('TRACE', url, false);
xmlhttp.send();
</script>ZOFixer.com security scan helps to find this vulnerability in your web application, you can easily use it by registering on our website and activating the 30-day trial.