Cross-site tracing (XST) is a sophisticated form of cross-site scripting (XSS) that can bypass security countermeasures already put in place to protect against XSS. This new form of attack allows an intruder to obtain cookies and other authentication data using simple client-side script.
In October 2002, Microsoft issued a press release describing a patch called HTTPOnly to protect against XSS. However, hackers soon discovered a way to bypass HTTPOnly and conduct XSS attacks on a broader scale. A typical XST attack may begin when an unwary Internet user visits a site hosted by a compromised server. The server sends scripting code to the victim's computer. The victim's computer sends an HTTP TRACE request to some other site recently visited by the victim's computer. The second site then sends cookies or other authentication data to the hacked server, and thereby makes the data available to the attacker.