Problem solve Get help with specific problems with your technologies, process and projects.

Cross-site tracing explained

Cross-site tracing (XST) is a reflected version of cross-site scripting (XSS). Expert Jeff Williams describes what makes this Web application security exploit unique and offers strategies for prevention.

I have some understanding of cross-site scripting, but what about cross-site tracing? How do I protect against this attack?

Cross-site tracing (XST) is a type of reflected cross-site scripting (XSS) that exploits the TRACE request defined in the HTTP specification. TRACE was designed as a simple test method for HTTP servers. When the server receives a TRACE request, it is supposed to respond by echoing back all the content of the request (including the cookie header). An attacker tricks a victim's browser into running a script that generates a TRACE request and sends it to the target server. When the request is reflected back to the browser, the script can pull out any cookies and sent them to the attacker. This type of attack is generally used when ordinary cross-site scripting won't work because the site uses the "HTTP Only" flag on its cookies.

To protect against this attack is, fortunately, simple. All you have to do is disable the TRACE method in your Web server or application server. This white paper discusses XST in greater detail The bigger point is that you should use a positive security model when allowing access to your application. The default rule should be to deny all HTTP methods, and only allow those you absolutely need, generally GET and POST. Continue with this model to only allow access to extensions, URLs, business functions, actions, and data that are specifically allowed.

More information:

Dig Deeper on Topics Archive

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.