cross-site tracing (XST)

Cross-site tracing (XST) is a sophisticated form of cross-site scripting (XSS) that can bypass security countermeasures already put in place to protect against XSS... (Continued)

Internet Security

TECHNOLOGIES
Cross-Site scripting
COMPANIES
Microsoft
PRODUCTS
FIREFOX Opera
+ Show More

Cross-site tracing (XST) is a sophisticated form of cross-site scripting (XSS) that can bypass security countermeasures already put in place to protect against XSS. This new form of attack allows an intruder to obtain cookies and other authentication data using simple client-side script.

In October 2002, Microsoft issued a press release describing a patch called HTTPOnly to protect against XSS. However, hackers soon discovered a way to bypass HTTPOnly and conduct XSS attacks on a broader scale. A typical XST attack may begin when an unwary Internet user visits a site hosted by a compromised server. The server sends scripting code to the victim's computer. The victim's computer sends an HTTP TRACE request to some other site recently visited by the victim's computer. The second site then sends cookies or other authentication data to the hacked server, and thereby makes the data available to the attacker.

In order to guarantee protection from XST, Internet users can disable JavaScript or ActiveX on their browsers. However, this renders inoperable many of the features that Internet users take for granted. There are other, less problematic measures that you can implement. For example, you can set your browser to automatically purge all cookies at the end of each session. Some browsers, such as Firefox and Opera, allow users to easily delete all stored personal data at any time. Server administrators can set servers to disable HTTP TRACE by default. Finally, individual Internet users and server administrators should regularly and frequently update their security patches.

This was first published in September 2006

Continue Reading About cross-site tracing (XST)

Glossary

'cross-site tracing (XST)' is part of the:

View All Definitions

Dig deeper on Internet Application Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close