Difference between revisions of "Cross Site Tracing"

From OWASP
Jump to: navigation, search
(Related Threat Agents)
(10 intermediate revisions by one user not shown)
Line 2: Line 2:
 
<br>
 
<br>
 
[[Category:OWASP ASDR Project]]
 
[[Category:OWASP ASDR Project]]
[[ASDR Table of Contents]]__TOC__
+
 
 +
 
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 
==Description==
 
==Description==
 
+
An XST (Cross-Site Tracing) attack involves the use of XSS and the HTTP TRACE function. HTTP TRACE is a default function in many webservers, primarily used for debugging. The client sends an HTTP TRACE with all header information including cookies, and the server simply responds with that same data. If using Javascript or other methods to steal a cookie or other information is disabled through the use of an "httpOnly" cookie or otherwise, an attacker may force the browser to send an HTTP TRACE request and send the server response to another site. "httpOnly" is an extra parameter added to cookies which hides the cookie from the script (supported in most, but not all browsers). For example "javascript:alert(document.cookie)" would not show an httpOnly cookie.
An XST (Cross-Site Tracing) attack involves the use of XSS and the HTTP TRACE function. HTTP TRACE is a default function in many webservers primarily used for debugging. The client sends an HTTP TRACE with all header information including cookies, and the server simply responds with that same data. If using Javascript or other methods to steal a cookie or other information is disabled through the use of an "httpOnly" cookie or otherwise, an attacker may force the browser to send an HTTP TRACE request and send the server response to another site. "httpOnly" is an extra parameter added to cookies which hides the cookie from the script (supported in most, but not all browsers). For example "javascript:alert(document.cookie)" would not show an httpOnly cookie.
+
  
 
This type of attack can occur when the there is an XSS vulnerability and the server supports HTTP TRACE.
 
This type of attack can occur when the there is an XSS vulnerability and the server supports HTTP TRACE.
Line 12: Line 13:
 
==Risk Factors==
 
==Risk Factors==
 
TBD
 
TBD
[[Category:FIXME|need content here]]
 
  
 
==Examples==
 
==Examples==
 
TBD
 
TBD
[[Category:FIXME|need content here]]
 
  
 
==Related [[Threat Agents]]==
 
==Related [[Threat Agents]]==
 
 
* [[Threat Agent 1]]
 
* [[Threat Agent 1]]
 
* [[Threat Agent 2]]
 
* [[Threat Agent 2]]
 
TBD
 
TBD
[[Category:FIXME|need links]]
 
  
 
==Related [[Attacks]]==
 
==Related [[Attacks]]==
 
+
* [[Cross-site Scripting (XSS)]]
* [[Cross-site scripting]]
+
  
 
==Related [[Vulnerabilities]]==
 
==Related [[Vulnerabilities]]==
 
 
* [[Vulnerability 1]]
 
* [[Vulnerability 1]]
 
* [[Vulnerabiltiy 2]]
 
* [[Vulnerabiltiy 2]]
 +
TBD
  
 
==Related [[Controls]]==
 
==Related [[Controls]]==
 
+
* [[Input Validation]]
* [[Control 1]]
+
* [[Output Validation]]
* [[Control 2]]
+
* [[Canonicalization]]
 
+
* Disable HTTP Trace on your web server
+
 
+
* Prevent any XSS on your web site
+
 
+
 
+
  
 
==References ==
 
==References ==
 
* Cross-Site Tracing (XST): http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
 
* Cross-Site Tracing (XST): http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
* [[Testing for HTTP Methods and XST]]
+
* [[Testing for HTTP Methods and XST (OWASP-CM-008)]]
  
  
[[Category:FIXME|According to the template, each article needs to have "subcategories"; need those for this article ]]
 
 
[[Category:Attack]]
 
[[Category:Attack]]

Revision as of 06:40, 23 April 2009

This is an Attack. To view all attacks, please see the Attack Category page.




Last revision (mm/dd/yy): 04/23/2009

Description

An XST (Cross-Site Tracing) attack involves the use of XSS and the HTTP TRACE function. HTTP TRACE is a default function in many webservers, primarily used for debugging. The client sends an HTTP TRACE with all header information including cookies, and the server simply responds with that same data. If using Javascript or other methods to steal a cookie or other information is disabled through the use of an "httpOnly" cookie or otherwise, an attacker may force the browser to send an HTTP TRACE request and send the server response to another site. "httpOnly" is an extra parameter added to cookies which hides the cookie from the script (supported in most, but not all browsers). For example "javascript:alert(document.cookie)" would not show an httpOnly cookie.

This type of attack can occur when the there is an XSS vulnerability and the server supports HTTP TRACE.

Risk Factors

TBD

Examples

TBD

Related Threat Agents

TBD

Related Attacks

Related Vulnerabilities

TBD

Related Controls

References