Cross-site tracing (XST) is an advanced form of cross-site scripting (XSS), a code injection attack where the attacker executes malicious scripts injected into a website or an application. In XST, attackers can bypass existing security measures against XSS and steal users’ cookies.

XST scripts exploit HTTP TRACE or TRACK methods originally designed for diagnostic purposes. Some web server administrators still use this HTTP request method for debugging, although server providers disable it by default to prevent XST and other similar attacks.

Other interesting terms…

Read More about a “Cross-Site Tracing”

XST is not a new vulnerability. It has been around for a while, so the security community has already introduced some countermeasures against it. Read on to learn more about XST, including its history, prevention, and how the attack works.

How Did Cross-Site Tracing Come About?

As mentioned above, XST is an advanced form of XSS. Therefore, understanding it requires a basic understanding of how XSS occurs. So, what is XSS?

XSS attacks happen when the attacker injects malicious code into a legitimate website or web application. The code is then executed in victims’ browsers every time they visit the infected website or use the compromised web application. XSS enables attackers to obtain an authenticated user’s credentials or show website visitors malicious content, such as spam ads and phishing prompts.

In October 2002, Microsoft released a patch for XSS attacks called “HTTPOnly.” This patch prevents JavaScript from accessing users’ cookies, so they can’t be sent to a third party. But in 2003, a WhiteHat Security staff found a way around the countermeasure by using the HTTP TRACE method. This more sophisticated form of XSS is called “XST.” Jeremiah Grossman published his findings in a white paper entitled “Cross-Site Tracing (XST): The New Techniques and Emerging Threats to Bypass Current Web Security Measures Using TRACE and XSS.”

What is HTTP TRACE Method?

HTTP TRACE method is used to return a full HTTP request back to the Internet user’s device. This loop-back mechanism helps in debugging. However, attackers can create a malicious web page using vulnerability systems such as ActiveX so that requesting clients can issue TRACE requests, allowing them to get ahold of the client’s cookies. 

How Does Cross-Site Tracing Work?

XST occurs when someone visits a website hosted on a hacked server. The server sends a script to the user’s computer. In response, the user’s computer sends an HTTP TRACE request to a recently visited website. This other website sends authentication data, such as cookies, to the compromised server even when they are tagged as HTTPOnly, making the data available to the attacker.

Aside from data breaches, XST can corrupt data and shut down a compromised server. The following snippet of the findings from the white paper mentioned above summarizes how severe the vulnerability can be:

“A week later into testing of HTTPOnly, WhiteHat staff discovered a new web security

attack technique that is able not only to bypass the HTTPOnly mechanism present in IE 6

Service Pack 1, but in addition the ability to XSS ‘just about’ anything from ‘just about’

anywhere.”

How Do You Prevent Cross-Site Tracing?

To protect yourself from XST, you can follow these tips:

  • Delete cookies: Set browsers to automatically delete all cookies at the end of every web session. Users can also manually do this since most web browsers allow users to delete cookies anytime.
  • Update systems: Regularly update browsers and operating systems (OSs) to apply security patches.
  • Disable technologies similar to ActiveX: The white paper used ActiveX as an example, but the attack is also possible in browsers with JavaScript and other similar technologies enabled.

It’s important to note that the last practice—disabling ActiveX or JavaScript—can also disable most websites’ user-friendly features, such as calculators and date and time features.

For server administrators, the Open Web Application Security Project (OWASP) recommends disabling the HTTP TRACE method on web servers. Back in the days when XST was first discovered, Grossman advised that the vulnerability affects all browsers supporting HTTP Request Enabling Technologies (HRET) and all web servers as well.

The HTTP TRACE method paved the way for XST, and is also believed to be vulnerable to other attacks. These days, the HTTP TRACE method is already disabled by default in some web servers. However, some web server administrators still use it for debugging purposes. So even if XST is already a relatively old attack method, understanding how it works can help protect against similar attacks that exploit the same vulnerabilities.