Definition

cross-site tracing (XST)

Cross-site tracing (XST) is a sophisticated form of cross-site scripting (XSS) that can bypass security countermeasures already put in place to protect against XSS. This new form of attack allows an intruder to obtain cookies and other authentication data using simple client-side script.

In October 2002, Microsoft issued a press release describing a patch called HTTPOnly to protect against XSS. However, hackers soon discovered a way to bypass HTTPOnly and conduct XSS attacks on a broader scale. A typical XST attack may begin when an unwary Internet user visits a site hosted by a compromised server. The server sends scripting code to the victim's computer. The victim's computer sends an HTTP TRACE request to some other site recently visited by the victim's computer. The second site then sends cookies or other authentication data to the hacked server, and thereby makes the data available to the attacker.

In order to guarantee protection from XST, Internet users can disable JavaScript or ActiveX on their browsers. However, this renders inoperable many of the features that Internet users take for granted. There are other, less problematic measures that you can implement. For example, you can set your browser to automatically purge all cookies at the end of each session. Some browsers, such as Firefox and Opera, allow users to easily delete all stored personal data at any time. Server administrators can set servers to disable HTTP TRACE by default. Finally, individual Internet users and server administrators should regularly and frequently update their security patches.

This was last updated in September 2006
Posted by: Margaret Rouse

Email Alerts

Register now to receive SearchSoftwareQuality.com-related news, tips and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

More News and Tutorials

  • Scaling Agile software development: Challenges and solutions

    Software consultant Nari Kannan describes how agile practices and work can be scaled appropriately for success in large organizations. Using lean thinking, reduction of waste, and appropriately organizing work and people, agile can be successfully adapted, regardless of the size of the organization.

  • Rise in hidden software glitches caused by programmer retirements

    Undiscovered software glitches in complex systems are common, and one of the primary drivers is the loss of mainframe knowledge of a retiring workforce. Software glitches are lurking in many large systems, particularly mainframe systems, and the COBOL programmers that understand the code best are retiring, according to Jeff Papows, author of the new book, "Glitch - The hidden impact of faulty software." Papows describes how faulty software caused a huge charge to debit card holder's account and why such mistakes are on the rise in this interview. Papows notes the three most pressing drivers for software glitches: loss of intellectual knowledge, market consolidation and the ubiquity of technology

  • Professional development for software testers

    Karen Johnson suggests a variety of ways that testers can gain additional skills and experience, including social networking and open source testing.

Do you have something to add to this definition? Let us know.

Send your comments to techterms@whatis.com

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: