Cross-Site-Tracing
Cross-Site Tracing (short: XST or CST) is an attack on Internet users, with the aim sniff out certain user data. About a regular Web server function ( HTTP TRACE ) and through security holes in browsers, it is possible for a third party to get HTTP header information. This attack occurs particularly in connection with cross-site scripting.
Unlike a normal cross-site scripting attack, a cross-site tracing attack is not limited to the same document or the same Web server, but it can be used, any Web server to the user data of the victim of any website reach. This fact makes this form of attack especially dangerous because of any of website that calls a user, attack on the user data to any other site is in principle possible.
Details
An HTTP TRACE request corresponds to a GET request, with the difference that the web server returns the entire request sent to it as an echo to the client. A client side executed script can send a TRACE request and all information sent to the Web server ( including all HTTP header fields, including authentication data, cookies, etc. ) intercept, which are of interest to the attacker.
With such an attack, security measures such as introduced in HTTP cookies from Microsoft HttpOnly parameter and even encrypted transmissions can be avoided (such as HTTPS ).
Since cross-site scripting is considered the most common attack on the Internet, cross-site tracing occurs mainly in connection with this. However, in theory, are all client-side technologies for this attack, so if HTTP requests can be created. To this end, in addition to JavaScript and JScript include VBScript, Flash ( ActionScript), Java, ActiveX, and others.
Example
Protection
All web servers supporting the TRACE method, to open this opportunity to attack. They can be prevented by disabling the TRACE support on the part of the web server for requests to this server.
On the client side all forms of cross-site scripting can be prevented by disabling JavaScript support (active scripting ). However, this comes at the price that many pages can no longer be used as expected.