Cross-site Tracing
Oct 11 2016
Cross-site Tracing or XST is a form of Cross-site Scripting (XSS). One of the ways that Cross-site Scripting is effective is by stealing sensitive information stored in a user’s cookies. Access to cookies can be extremely easy with a piece of rogue JavaScript.
<script>alert(document.cookie);</script>
Cookies are often used to store a session id or token that can be referenced server-side. This is one way that sites can maintain state, such as the authentication status of a user, or a session id that identifies a server-side session.
A measure was introduced into browsers to combat this vulnerability of JavaScript’s access to cookie. Browsers started respecting the HttpOnly
tag on a cookie, which prevents the cookie from being accessible through the document
object. With this feature, servers can specify that a cookie, such as the session id, is to be used with HTTP only.
What is Cross-site Tracing?
One of the less used HTTP methods is TRACE, which sends the message received by the final recipient in the body of the response message. This method might be useful in a debugging scenario, particularly if there is some intermediary between the client the server, such as a load balancer.
Because it includes the request message in the body of the response, it is possible that it may contain cookies that were tagged with HttpOnly
when they were originally received from the server. This gives a malicious guest script access to the HttpOnly
cookies.
As an example, imagine that a response has already been received where the user_session
cookie is set and is tagged as HttpOnly
.
Set-Cookie: user_session=abe573ef; HttpOnly
Then, a TRACE request is sent from the browser, which includes the user_session
cookie.
Request
TRACE / HTTP/1.1
Host: www.example.com
Cookie: user_session=abe573ef;
Response
HTTP/1.1 200 OK
Server: Apache
Date: Tue, 31 Oct 2016 08:01:48 GMT
Connection: close
Content-Type: message/http
Content-Length: 69
TRACE / HTTP/1.1
Host: www.example.com
Cookie: user_session=abe573ef;
The user_session
is in the body of the response to the TRACE request, which means the JavaScript code that executed the request now has access to the user_session
.
Prevention
One way to protect against this vulnerability is to disable TRACE requests on your web server. From my research, it appears that most web servers either do not support TRACE, or disable it by default.
Further, modern browsers have disabled the ability to issue TRACE requests via JavaScript.
Sources:
Recent Articles
- Apprenticeship Retro Oct 14 2016
- What the hell is CORS Oct 13 2016
- Cross-site Tracing Oct 11 2016
- Learning Testing Tools First Oct 7 2016