Dark Mode
Capec-107 Detail
Cross Site Tracing
Detailed Software Likelihood: Medium Typical Severity: Very High
Parents: 593
Threats: T293
Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to a destination system's web server.
The adversary uses an XSS attack to have victim's browser sent an HTTP TRACE request to a destination web server, which will proceed to return a response to the victim's web browser that contains the original HTTP request in its body. Since the HTTP header of the original HTTP TRACE request had the victim's session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the adversary's malicious site. XST becomes relevant when direct access to the session cookie via the "document.cookie" object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST. If the system with which the victim is interacting is susceptible to XSS, an adversary can exploit that weakness directly to get their malicious script to issue an HTTP TRACE request to the destination system's web server.
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-107 | capec | https://capec.mitre.org/data/definitions/107.html | |
| CWE-693 | cwe | http://cwe.mitre.org/data/definitions/693.html | |
| CWE-648 | cwe | http://cwe.mitre.org/data/definitions/648.html | |
| OWASP Attacks | https://owasp.org/www-community/attacks/Cross_Site_Tracing | Cross Site Tracing | |
| REF-3 | reference_from_CAPEC | http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf | Jeremiah Grossman, Cross-Site Tracing (XST), 2003, WhiteHat Security |
Explore
-
Determine if HTTP Trace is enabled: Determine if HTTP Trace is enabled at the web server with which the victim has an active session
| Techniques |
|---|
| An adversary may issue an HTTP Trace request to the target web server and observe if the response arrives with the original request in the body of the response. |
Experiment
-
Identify mechanism to launch HTTP Trace request: The adversary attempts to force the victim to issue an HTTP Trace request to the targeted application.
| Techniques |
|---|
| The adversary probes for cross-site scripting vulnerabilities to force the victim into issuing an HTTP Trace request. |
Exploit
-
Create a malicious script that pings the web server with HTTP TRACE request: The adversary creates a malicious script that will induce the victim's browser to issue an HTTP TRACE request to the destination system's web server. The script will further intercept the response from the web server, pick up sensitive information out of it, and forward to the site controlled by the adversary.
-
Execute malicious HTTP Trace launching script: The adversary leverages an XSS vulnerability to force the victim to execute the malicious HTTP Trace launching script
-
Intercept HTTP TRACE response: The adversary's script intercepts the HTTP TRACE response from teh web server, glance sensitive information from it, and forward that information to a server controlled by the adversary.
| Techniques |
|---|
| The adversary's malicious script circumvents the httpOnly cookie attribute that prevents from hijacking the victim's session cookie directly using document.cookie and instead leverages the HTTP TRACE to catch this information from the header of the HTTP request once it is echoed back from the web server in the body of the HTTP TRACE response. |
- HTTP TRACE is enabled on the web server
- The destination system is susceptible to XSS or an adversary can leverage some other weakness to bypass the same origin policy
- Scripting is enabled in the client's browser
- HTTP is used as the communication protocol between the server and the client
- None: No specialized resources are required to execute this type of attack.
| Medium |
|---|
| Understanding of the HTTP protocol and an ability to craft a malicious script |
| Integrity | Authorization | Access Control | Confidentiality |
|---|---|---|---|
| Modify Data | Gain Privileges | Gain Privileges | Read Data |
| Gain Privileges |
- An adversary determines that a particular system is vulnerable to reflected cross-site scripting (XSS) and endeavors to leverage this weakness to steal the victim's authentication cookie. An adversary realizes that since httpOnly attribute is set on the user's cookie, it is not possible to steal it directly with their malicious script. Instead, the adversary has their script use XMLHTTP ActiveX control in the victim's IE browser to issue an HTTP TRACE to the target system's server which has HTTP TRACE enabled. The original HTTP TRACE request contains the session cookie and so does the echoed response. The adversary picks the session cookie from the body of HTTP TRACE response and ships it to the adversary. The adversary then uses the newly acquired victim's session cookie to impersonate the victim in the target system. In the absence of an XSS weakness on the site with which the victim is interacting, an adversary can get the script to come from the site that they control and get it to execute in the victim's browser (if they can trick the victim's into visiting their malicious website or clicking on the link that they supplies). However, in that case, due to the same origin policy protection mechanism in the browser, the adversary's malicious script cannot directly issue an HTTP TRACE request to the destination system's web server because the malicious script did not originate at that domain. An adversary will then need to find a way to exploit another weakness that would enable them to circumvent the same origin policy protection.