Oct 11 2016
Cookies are often used to store a session id or token that can be referenced server-side. This is one way that sites can maintain state, such as the authentication status of a user, or a session id that identifies a server-side session.
HttpOnly tag on a cookie, which prevents the cookie from being accessible through the
document object. With this feature, servers can specify that a cookie, such as the session id, is to be used with HTTP only.
What is Cross-site Tracing?
One of the less used HTTP methods is TRACE, which sends the message received by the final recipient in the body of the response message. This method might be useful in a debugging scenario, particularly if there is some intermediary between the client the server, such as a load balancer.
Because it includes the request message in the body of the response, it is possible that it may contain cookies that were tagged with
HttpOnly when they were originally received from the server. This gives a malicious guest script access to the
As an example, imagine that a response has already been received where the
user_session cookie is set and is tagged as
Set-Cookie: user_session=abe573ef; HttpOnly
Then, a TRACE request is sent from the browser, which includes the
TRACE / HTTP/1.1 Host: www.example.com Cookie: user_session=abe573ef;
HTTP/1.1 200 OK Server: Apache Date: Tue, 31 Oct 2016 08:01:48 GMT Connection: close Content-Type: message/http Content-Length: 69 TRACE / HTTP/1.1 Host: www.example.com Cookie: user_session=abe573ef;
One way to protect against this vulnerability is to disable TRACE requests on your web server. From my research, it appears that most web servers either do not support TRACE, or disable it by default.