Q

Cross-site tracing explained

Cross-site tracing (XST) is a reflected version of cross-site scripting (XSS). Expert Jeff Williams describes what makes this Web application security exploit unique and offers strategies for prevention.

I have some understanding of cross-site scripting, but what about cross-site tracing? How do I protect against this attack?

Cross-site tracing (XST) is a type of reflected cross-site scripting (XSS) that exploits the TRACE request defined in the HTTP specification. TRACE was designed as a simple test method for HTTP servers. When the server receives a TRACE request, it is supposed to respond by echoing back all the content of the request (including the cookie header). An attacker tricks a victim's browser into running a script that generates a TRACE request...

and sends it to the target server. When the request is reflected back to the browser, the script can pull out any cookies and sent them to the attacker. This type of attack is generally used when ordinary cross-site scripting won't work because the site uses the "HTTP Only" flag on its cookies.

To protect against this attack is, fortunately, simple. All you have to do is disable the TRACE method in your Web server or application server. This white paper discusses XST in greater detail The bigger point is that you should use a positive security model when allowing access to your application. The default rule should be to deny all HTTP methods, and only allow those you absolutely need, generally GET and POST. Continue with this model to only allow access to extensions, URLs, business functions, actions, and data that are specifically allowed.

More information:
This was first published in September 2006
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close