Difference between revisions of "Cross Site Tracing"

From OWASP
Jump to: navigation, search
(Added a lot of information, amended the description.)
(Removed Linux as I was using OS X and you can see that from the ua string)
Line 14: Line 14:
 
==Examples==
 
==Examples==
  
An example using cURL from a Linux command line to send a TRACE request to a web server on the localhost with TRACE enabled. Notice how the web server responds with the request that was sent to it.
+
An example using cURL from the command line to send a TRACE request to a web server on the localhost with TRACE enabled. Notice how the web server responds with the request that was sent to it.
  
 
<pre>
 
<pre>

Revision as of 17:30, 21 March 2013

This is an Attack. To view all attacks, please see the Attack Category page.




Last revision (mm/dd/yy): 03/21/2013

Description

A Cross-Site Tracing (XST) attack involves the use of Cross-site Scripting (XSS) and the TRACE HTTP method. According to RFC 2616, "TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information.". XST could be used as a method to steal user's cookies via Cross-site Scripting (XSS) even if the cookie has the "HttpOnly" flag set.

Risk Factors

TBD

Examples

An example using cURL from the command line to send a TRACE request to a web server on the localhost with TRACE enabled. Notice how the web server responds with the request that was sent to it.

$ curl -X TRACE 127.0.0.1
TRACE / HTTP/1.1
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
Host: 127.0.0.1
Accept: */*

In this example notice how we send a Cookie header with the request and it is also in the web server's response.

$ curl -X TRACE -H "Cookie: name=value" 127.0.0.1
TRACE / HTTP/1.1
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
Host: 127.0.0.1
Accept: */*
Cookie: name=value

In this example the TRACE method is disabled, notice how we get an error instead of the request we sent.

$ curl -X TRACE 127.0.0.1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /.</p>
</body></html>

Remediation

Apache

In Apache versions 1.3.34, 2.0.55 and later, set the TraceEnable directive to "off" in the main configuration file and then restart Apache. See TraceEnable for further information.

TraceEnable off

Related Threat Agents

TBD

Related Attacks

Related Vulnerabilities

TBD

Related Controls

References