Cross Site Tracing aka XST is not very likely to become a threat nowadays with updated technology, as most modern browsers prevents all the known and common attack vectors.
[quote=MaXe]What is XST and can it be used for anything?
XST also known as Cross Site (Script) Tracing is a way of abusing the HTTP Trace (Debug) protocol. Anything that an attacker sends to a web-server that has TRACE enabled will send the same answer back. If an attacker sends the following:
TRACE / HTTP/1.0
The attacker will receive the same "Custom-header: <scr..." back allowing script execution. However after recent browser updates the following year(s) XST has been increasingly harder to control and execute properly.[/quote]
Here's a paper you have to / must read:http://www.cgisecurity.com/whitehat-mir ... _ebook.pdf
[quote=OWASP]Note: in order to understand the logic and the goals of this attack you need to be familiar with Cross Site Scripting attacks.
As mentioned before, TRACE simply returns any string that is sent to the web server. [/quote]
XSS Trace: http://attacks.intern0t.net/xstrace/
HTTP Options: http://attacks.intern0t.net/htopt/
(You can use Burp Suite Free, to test XST as well.)References:http://www.xssed.com/article/31/The_Beg ... de_to_XSS/http://en.wikipedia.org/wiki/Cross-site_tracinghttps://www.owasp.org/index.php/Testing ... ASP-CM-008