Ask the Expert

Cross-site tracing explained

I have some understanding of cross-site scripting, but what about cross-site tracing? How do I protect against this attack?

Requires Free Membership to View

Cross-site tracing (XST) is a type of reflected cross-site scripting (XSS) that exploits the TRACE request defined in the HTTP specification. TRACE was designed as a simple test method for HTTP servers. When the server receives a TRACE request, it is supposed to respond by echoing back all the content of the request (including the cookie header). An attacker tricks a victim's browser into running a script that generates a TRACE request and sends it to the target server. When the request is reflected back to the browser, the script can pull out any cookies and sent them to the attacker. This type of attack is generally used when ordinary cross-site scripting won't work because the site uses the "HTTP Only" flag on its cookies.

To protect against this attack is, fortunately, simple. All you have to do is disable the TRACE method in your Web server or application server. This white paper discusses XST in greater detail The bigger point is that you should use a positive security model when allowing access to your application. The default rule should be to deny all HTTP methods, and only allow those you absolutely need, generally GET and POST. Continue with this model to only allow access to extensions, URLs, business functions, actions, and data that are specifically allowed.

More information:

This was first published in September 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: