Cross-site tracing (XST) is a type of reflected cross-site scripting (XSS) that exploits the TRACE request defined in the HTTP specification. TRACE was designed as a simple test method for HTTP servers. When the server receives a TRACE request, it is supposed to respond by echoing back all the content of the request (including the cookie header). An attacker tricks a victim's browser into running a script that generates a TRACE request and sends it to the target server. When the request is reflected back to the browser, the script can pull out any cookies and sent them to the attacker. This type of attack is generally used when ordinary cross-site scripting won't work because the site uses the "HTTP Only" flag on its cookies.
To protect against this attack is, fortunately, simple. All you have to do is disable the TRACE method in your Web server or application server. This white paper discusses XST in greater detail The bigger point is that you should use a positive security model when allowing access to your application. The default rule should be to deny all HTTP methods, and only allow those you absolutely need, generally GET and POST. Continue with this model to only allow access to extensions, URLs, business functions, actions, and data that are specifically allowed.More information:
This was first published in September 2006