Difference between revisions of "Cross Site Tracing"

From OWASP
Jump to: navigation, search
(Added TRACK method to description)
 
(9 intermediate revisions by 2 users not shown)
Line 2: Line 2:
 
<br>
 
<br>
 
[[Category:OWASP ASDR Project]]
 
[[Category:OWASP ASDR Project]]
[[ASDR Table of Contents]]
+
 
 +
 
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 
==Description==
 
==Description==
An XST (Cross-Site Tracing) attack involves the use of XSS and the HTTP TRACE function. HTTP TRACE is a default function in many webservers, primarily used for debugging. The client sends an HTTP TRACE with all header information including cookies, and the server simply responds with that same data. If using Javascript or other methods to steal a cookie or other information is disabled through the use of an "httpOnly" cookie or otherwise, an attacker may force the browser to send an HTTP TRACE request and send the server response to another site. "httpOnly" is an extra parameter added to cookies which hides the cookie from the script (supported in most, but not all browsers). For example "javascript:alert(document.cookie)" would not show an httpOnly cookie.
+
A '''Cross-Site Tracing (XST)''' attack involves the use of [[Cross-site Scripting (XSS)]] and the TRACE or TRACK HTTP methods. According to [http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html RFC 2616], "TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information.", the TRACK method works in the same way but is specific to Microsoft's IIS web server. XST could be used as a method to steal user's cookies via [[Cross-site Scripting (XSS)]] even if the cookie has the "[[HttpOnly]]" flag set and/or expose the user's Authorization header.
 +
 
 +
The TRACE method, while apparently harmless, can be successfully leveraged in some scenarios to steal legitimate users' credentials. This attack technique was discovered by Jeremiah Grossman in 2003, in an attempt to bypass the [[HttpOnly]] tag that Microsoft introduced in Internet Explorer 6 sp1 to protect cookies from being accessed by JavaScript. As a matter of fact, one of the most recurring attack patterns in Cross Site Scripting is to access the document.cookie object and send it to a web server controlled by the attacker so that he/she can hijack the victim's session. Tagging a cookie as [[HttpOnly]] forbids JavaScript to access it, protecting it from being sent to a third party. However, the TRACE method can be used to bypass this protection and access the cookie even in this scenario.
  
This type of attack can occur when the there is an XSS vulnerability and the server supports HTTP TRACE.
+
Modern browsers now prevent TRACE requests being made via JavaScript, however, other ways of sending TRACE requests with browsers have been discovered, such as using Java.
  
 
==Risk Factors==
 
==Risk Factors==
Line 13: Line 17:
  
 
==Examples==
 
==Examples==
TBD
+
 
 +
An example using cURL from the command line to send a TRACE request to a web server on the localhost with TRACE enabled. Notice how the web server responds with the request that was sent to it.
 +
 
 +
<pre>
 +
$ curl -X TRACE 127.0.0.1
 +
TRACE / HTTP/1.1
 +
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
 +
Host: 127.0.0.1
 +
Accept: */*
 +
</pre>
 +
 
 +
In this example notice how we send a Cookie header with the request and it is also in the web server's response.
 +
 
 +
<pre>
 +
$ curl -X TRACE -H "Cookie: name=value" 127.0.0.1
 +
TRACE / HTTP/1.1
 +
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
 +
Host: 127.0.0.1
 +
Accept: */*
 +
Cookie: name=value
 +
</pre>
 +
 
 +
In this example the TRACE method is disabled, notice how we get an error instead of the request we sent.
 +
 
 +
<pre>
 +
$ curl -X TRACE 127.0.0.1
 +
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 +
<html><head>
 +
<title>405 Method Not Allowed</title>
 +
</head><body>
 +
<h1>Method Not Allowed</h1>
 +
<p>The requested method TRACE is not allowed for the URL /.</p>
 +
</body></html>
 +
</pre>
 +
 
 +
Example JavaScript XMLHttpRequest TRACE request. In Firefox 19.0.2 it will not work and return a "Illegal Value" error. In Google Chrome 25.0.1364.172 it will not work and return a "Uncaught Error: SecurityError: DOM Exception 18" error. This is because modern browsers now block the TRACE method in XMLHttpRequest to help mitigate XST.
 +
 
 +
<pre>
 +
<script>
 +
  var xmlhttp = new XMLHttpRequest();
 +
  var url = 'http://127.0.0.1/';
 +
 
 +
  xmlhttp.withCredentials = true; // send cookie header
 +
  xmlhttp.open('TRACE', url, false);
 +
  xmlhttp.send();
 +
</script>
 +
</pre>
 +
 
 +
== Remediation ==
 +
 
 +
===Apache===
 +
In Apache versions 1.3.34, 2.0.55 and later, set the TraceEnable directive to "off" in the main configuration file and then restart Apache. See [http://httpd.apache.org/docs/2.2/mod/core.html#traceenable TraceEnable] for further information.
 +
 
 +
<pre>
 +
TraceEnable off
 +
</pre>
  
 
==Related [[Threat Agents]]==
 
==Related [[Threat Agents]]==
Line 36: Line 95:
 
* Cross-Site Tracing (XST): http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
 
* Cross-Site Tracing (XST): http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
 
* [[Testing for HTTP Methods and XST (OWASP-CM-008)]]
 
* [[Testing for HTTP Methods and XST (OWASP-CM-008)]]
 
+
* [http://osvdb.org/show/osvdb/877 OSVDB 877]
 +
* [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3398 CVE-2005-3398]
 +
* [http://seckb.yehg.net/2012/06/xss-gaining-access-to-httponly-cookie.html XSS: Gaining access to HttpOnly Cookie in 2012]
 +
* [https://bugzilla.mozilla.org/show_bug.cgi?id=302489 Mozilla Bug 302489]
 +
* [https://bugzilla.mozilla.org/show_bug.cgi?id=381264 Mozilla Bug 381264]
  
 
[[Category:Attack]]
 
[[Category:Attack]]

Latest revision as of 12:35, 2 April 2013

This is an Attack. To view all attacks, please see the Attack Category page.




Last revision (mm/dd/yy): 04/2/2013

Description

A Cross-Site Tracing (XST) attack involves the use of Cross-site Scripting (XSS) and the TRACE or TRACK HTTP methods. According to RFC 2616, "TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information.", the TRACK method works in the same way but is specific to Microsoft's IIS web server. XST could be used as a method to steal user's cookies via Cross-site Scripting (XSS) even if the cookie has the "HttpOnly" flag set and/or expose the user's Authorization header.

The TRACE method, while apparently harmless, can be successfully leveraged in some scenarios to steal legitimate users' credentials. This attack technique was discovered by Jeremiah Grossman in 2003, in an attempt to bypass the HttpOnly tag that Microsoft introduced in Internet Explorer 6 sp1 to protect cookies from being accessed by JavaScript. As a matter of fact, one of the most recurring attack patterns in Cross Site Scripting is to access the document.cookie object and send it to a web server controlled by the attacker so that he/she can hijack the victim's session. Tagging a cookie as HttpOnly forbids JavaScript to access it, protecting it from being sent to a third party. However, the TRACE method can be used to bypass this protection and access the cookie even in this scenario.

Modern browsers now prevent TRACE requests being made via JavaScript, however, other ways of sending TRACE requests with browsers have been discovered, such as using Java.

Risk Factors

TBD

Examples

An example using cURL from the command line to send a TRACE request to a web server on the localhost with TRACE enabled. Notice how the web server responds with the request that was sent to it.

$ curl -X TRACE 127.0.0.1
TRACE / HTTP/1.1
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
Host: 127.0.0.1
Accept: */*

In this example notice how we send a Cookie header with the request and it is also in the web server's response.

$ curl -X TRACE -H "Cookie: name=value" 127.0.0.1
TRACE / HTTP/1.1
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
Host: 127.0.0.1
Accept: */*
Cookie: name=value

In this example the TRACE method is disabled, notice how we get an error instead of the request we sent.

$ curl -X TRACE 127.0.0.1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /.</p>
</body></html>

Example JavaScript XMLHttpRequest TRACE request. In Firefox 19.0.2 it will not work and return a "Illegal Value" error. In Google Chrome 25.0.1364.172 it will not work and return a "Uncaught Error: SecurityError: DOM Exception 18" error. This is because modern browsers now block the TRACE method in XMLHttpRequest to help mitigate XST.

<script>
  var xmlhttp = new XMLHttpRequest();
  var url = 'http://127.0.0.1/';

  xmlhttp.withCredentials = true; // send cookie header
  xmlhttp.open('TRACE', url, false);
  xmlhttp.send();
</script>

Remediation

Apache

In Apache versions 1.3.34, 2.0.55 and later, set the TraceEnable directive to "off" in the main configuration file and then restart Apache. See TraceEnable for further information.

TraceEnable off

Related Threat Agents

TBD

Related Attacks

Related Vulnerabilities

TBD

Related Controls

References