.

cross site tracing exploitation

<<

ffmp3g

Newbie
Newbie

Posts: 2

Joined: Sat Jun 11, 2011 8:34 am

Post Sat Jun 11, 2011 3:42 pm

cross site tracing exploitation

hi;
please what is the way to exploit cross site tracing vulnerability. could it be dangereous? thanks
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sat Jun 11, 2011 4:11 pm

Re: cross site tracing exploitation

Cross Site Tracing aka XST is not very likely to become a threat nowadays with updated technology, as most modern browsers prevents all the known and common attack vectors.

[quote=MaXe]What is XST and can it be used for anything?

XST also known as Cross Site (Script) Tracing is a way of abusing the HTTP Trace (Debug) protocol. Anything that an attacker sends to a web-server that has TRACE enabled will send the same answer back. If an attacker sends the following:

Code:   
TRACE / HTTP/1.0
Host: target.tld
Custom-header: <script>alert(0)</script>   

The attacker will receive the same "Custom-header: <scr..." back allowing script execution. However after recent browser updates the following year(s) XST has been increasingly harder to control and execute properly.[/quote]

Here's a paper you have to / must read:
http://www.cgisecurity.com/whitehat-mir ... _ebook.pdf

[quote=OWASP]Note: in order to understand the logic and the goals of this attack you need to be familiar with Cross Site Scripting attacks.

The TRACE method, while apparently harmless, can be successfully leveraged in some scenarios to steal legitimate users' credentials. This attack technique was discovered by Jeremiah Grossman in 2003, in an attempt to bypass the HTTPOnly tag that Microsoft introduced in Internet Explorer 6 sp1 to protect cookies from being accessed by JavaScript. As a matter of fact, one of the most recurring attack patterns in Cross Site Scripting is to access the document.cookie object and send it to a web server controlled by the attacker so that he/she can hijack the victim's session. Tagging a cookie as httpOnly forbids JavaScript to access it, protecting it from being sent to a third party. However, the TRACE method can be used to bypass this protection and access the cookie even in this scenario.

As mentioned before, TRACE simply returns any string that is sent to the web server. [/quote]



Tools:

XSS Trace: http://attacks.intern0t.net/xstrace/
HTTP Options: http://attacks.intern0t.net/htopt/
(You can use Burp Suite Free, to test XST as well.)

References:
http://www.xssed.com/article/31/The_Beg ... de_to_XSS/
http://en.wikipedia.org/wiki/Cross-site_tracing
https://www.owasp.org/index.php/Testing ... ASP-CM-008)
I'm an InterN0T'er
<<

ffmp3g

Newbie
Newbie

Posts: 2

Joined: Sat Jun 11, 2011 8:34 am

Post Sat Jun 11, 2011 4:19 pm

Re: cross site tracing exploitation

thanks for your quick reply!
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Mon Aug 22, 2011 10:56 am

Re: cross site tracing exploitation

I had some doubts  maxe :)

You have said when a web-site has http TRACE method enabled and the attackers sends any thing it will be echoed back

  Code:
Code:  
TRACE / HTTP/1.0
Host: target.tld
Custom-header: <script>alert(0)</script> 


but my doubt is

the following script

  Code:
<script>alert(0)</script> 


which we are sending will get executed on the web-server ? or just it is echoed back from the web-server with out being executed?
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Tue Aug 23, 2011 5:22 pm

Re: cross site tracing exploitation

manoj9372 wrote:
which we are sending will get executed on the web-server ? or just it is echoed back from the web-server with out being executed?


It's just like non-persistent XSS, except it isn't a GET or POST request, instead it's the TRACE protocol, which returns any headers sent to the server by default if enabled, as this is how the TRACE protocol is meant to work. (It is recommended to have it disabled anyway.)

In other words: No, the script is just echoed back from the server and is NOT stored.
I'm an InterN0T'er
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Tue Aug 23, 2011 7:50 pm

Re: cross site tracing exploitation

  Code:
It's just like non-persistent XSS, except it isn't a GET or POST request, instead it's the TRACE protocol, which returns any headers sent to the server by default if enabled, as this is how the TRACE protocol is meant to work. (It is recommended to have it disabled anyway.)

In other words: No, the script is just echoed back from the server and is NOT stored.


Thanks for the explanation maxe,i got it :)

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software