Cross-site Tracing (XST)

Overview of the attack

Cross-site tracing (XST) exploits the HTTP TRACE method, which was designed for reflecting characters off a webserver exactly as they are sent. This can be used by an attacker to bounce a malicious script off the webserver and into a user's browser. This script then runs in the browser with the same impact as a cross-site scripting attack (which uses the HTTP GET or POST methods instead).

What makes a site vulnerable

A website will be vulnerable to XST if it runs on a webserver supporting the HTTP TRACE method.

Impact of the attack

The impact of the attack is as for cross-site scripting attacks. Specifically, it can be used to launch phishing attacks, to spread mis-information, to perform cross-site request forgeries or to capture a user's login details.

Preventing the attack

The TRACE method is not utilised by the majority of websites and can therefore be safely disabled or blocked (e.g. using mod_rewrite in Apache or UrlScan in IIS).

Website Security Book

Security for websites, web-applications and web-services