|
Cross-site tracing (XST) is a sophisticated form of cross-site scripting (XSS) that can bypass security countermeasures already put in place to protect against XSS. This new form of attack allows an intruder to obtain cookies and other authentication data using simple client-side script.
In October 2002, Microsoft issued a press release describing a patch called HTTPOnly to protect against XSS. However, hackers soon discovered a way to bypass HTTPOnly and conduct XSS attacks on a broader scale. A typical XST attack may begin when an unwary Internet user visits a site hosted by a compromised server. The server sends scripting code to the victim's computer. The victim's computer sends an HTTP TRACE request to some other site recently visited by the victim's computer. The second site then sends cookies or other authentication data to the hacked server, and thereby makes the data available to the attacker.
In order to guarantee protection from XST, Internet users can disable JavaScript or ActiveX on their browsers. However, this renders inoperable many of the features that Internet users take for granted. There are other, less problematic measures that you can implement. For example, you can set your browser to automatically purge all cookies at the end of each session. Some browsers, such as Firefox and Opera, allow users to easily delete all stored personal data at any time. Server administrators can set servers to disable HTTP TRACE by default. Finally, individual Internet users and server administrators should regularly and frequently update their security patches.
Last updated on: Sep 20, 2006
|
