RxHarun

 Cross-Site Tracing (XST)

Dr. Harun Ar Rashid, MD - Arthritis, Bones, Joints Pain, Trauma, and Internal Medicine Specialist Dr. Harun Ar Rashid, MD - Arthritis, Bones, Joints Pain, Trauma, and Internal Medicine Specialist
0 Views
Rx iT World Hacking Tutorial

Cross-Site Tracing (XST) attack involves the use of [Cross-site Scripting (XSS)]({{ site.baseurl }}/attacks/xss) and the TRACE or TRACK HTTP methods. According to RFC 2616, “TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information.”, the TRACK method works in the same way but is specific to Microsoft’s IIS web server. XST could be used as a method to steal user’s cookies via [Cross-site Scripting (XSS)]({{ site.baseurl }}/attacks/xss) even if the cookie has the “HttpOnly” flag set or exposes the user’s Authorization header.

The TRACE method, while apparently harmless, can be successfully leveraged in some scenarios to steal legitimate users’ credentials. This attack technique was discovered by Jeremiah Grossman in 2003, in an attempt to bypass the HttpOnly tag that Microsoft introduced in Internet Explorer 6 sp1 to protect cookies from being accessed by JavaScript. As a matter of fact, one of the most recurring attack patterns in Cross Site Scripting is to access the document.cookie object and send it to a web server controlled by the attacker so that they can hijack the victim’s session. Tagging a cookie as HttpOnly forbids JavaScript to access it, protecting it from being sent to a third party. However, the TRACE method can be used to bypass this protection and access the cookie even in this scenario.

Modern browsers now prevent TRACE requests being made via JavaScript, however, other ways of sending TRACE requests with browsers have been discovered, such as using Java.

You Might Also Like This Posts:

  1. Cross-Site Scripting (XSS) Attacks Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to […]...
  2. Cross-Site History Manipulation (XSHM) Cross-Site History Manipulation (XSHM) is a SOP (Same Origin Policy) security breach. SOP is the most important security concept of modern browsers. SOP means that web pages from different origins by design cannot communicate with each other. Cross-Site History Manipulation breach is based on the fact that client-side browser history object is not properly partitioned on a per-site basis. Manipulating […]...
  3. Cross-Frame Scripting (XFS) iAttack Cross-Frame Scripting (XFS) is an attack that combines malicious JavaScript with an iframe that loads a legitimate page in an effort to steal data from an unsuspecting user. This attack is usually only successful when combined with social engineering. An example would consist of an attacker convincing the user to navigate to a web page […]...
  4. Cross User Defacement Attacks An attacker can make a single request to a vulnerable server that will cause the server to create two responses, the second of which may be misinterpreted as a response to a different request, possibly one made by another user sharing the same TCP connection with the server. This can be accomplished by convincing the […]...
  5. Cross-origin Resource Sharing (CORS) Cross-origin resource sharing (CORS) is a mechanism for integrating applications. CORS defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. This is useful because complex applications often reference third-party APIs and resources in their client-side code. For example, your application may use your […]...
  6. Distributed Tracing Distributed tracing is observing data requests as they flow through a distributed system. Modern microservices architecture often has multiple small independent components—these components constantly communicate and exchange data using APIs to do complex work. With distributed tracing, developers can trace—or visually follow—a request path across different microservices. This visibility helps troubleshoot errors or fix bugs […]...
  7. Content spoofing, Content Injection Content spoofing, also referred to as content injection, “arbitrary text injection” or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value, that is […]...
  8. 20 Signs Your WordPress Site Is Hacked (And How to Fix It) Is your WordPress website acting strangely? Do you suspect it might be hacked? Don’t worry; you’re not alone. WordPress is a popular platform, and hackers often target it. In this article, we’ll explain 20 common signs that your WordPress site might be compromised and provide simple steps to fix these issues. Let’s get started! Strange […]...
  9. Web Development Languages 101 Programming languages are developers’ tools—and each is well suited for a particular kind of website, application type, or project size and scope. Developers will have their preferences, and will also know which languages and frameworks to use to maximize an application’s potential as well as its efficiency. However, when it comes to these skills—probably the […]...
  10. How to Fix Your Connection is Not Private Error (Site Owners Guide) Are you a website owner? Have you ever come across the dreaded “Your Connection is Not Private” error message while browsing the internet? If so, you’re not alone. This error can be frustrating for both website visitors and site owners. In this guide, we will break down what this error means, why it occurs, and […]...

To Get Daily Health Newsletter

We don’t spam! Read our privacy policy for more info.

Terms and Conditions of Use
Privacy Policy
Cookie Policy
Editorial Policy
Advertising Policy
EU User Consent Policy
Correction Policy
Citation Policy
Ethics and Logical Policies
About Us
Contact Us
Newsletter
Career
Sitemap
Advertise with us
Editorial Board Members
Review Board Member
Team RxHarun
Web Developers Team
Guest Posts and Sponsored Posts
Request for Board Member
Women Writers
Download Mobile Apps
Follow us on Social Media
© 2012 - 2025; All rights reserved by authors. Powered by Mediarx International LTD, a subsidiary company of Rx Foundation.
RxHarun
Logo