Cross Site Tracing
Attack Pattern ID: 107 (Standard Attack Pattern Completeness: Complete)Typical Severity: Very HighStatus: Draft
+ Description


Cross Site Tracing (XST) enables an attacker to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to destination system's web server. The attacker first gets a malicious script to run in the victim's browser that induces the browser to initiate an HTTP TRACE request to the web server. If the destination web server allows HTTP TRACE requests, it will proceed to return a response to the victim's web browser that contains the original HTTP request in its body. The function of HTTP TRACE, as defined by the HTTP specification, is to echo the request that the web server receives from the client back to the client. Since the HTTP header of the original request had the victim's session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the attacker's malicious site. XST becomes relevant when direct access to the session cookie via the "document.cookie" object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST.

If the system with which the victim is interacting is susceptible to XSS, an attacker can exploit that weakness directly to get his or her malicious script to issue an HTTP TRACE request to the destination system's web server. In the absense of an XSS weakness on the site with which the victim is interacting, an attacker can get the script to come from the site that he controls and get it to execute in the victim's browser (if he can trick the victim's into visiting his malicious website or clicking on the link that he supplies). However, in that case, due to the single origin policy protection mechanism in the browser, the attacker's malicious script cannot directly issue an HTTP TRACE request to the destination system's web server because the malicious script did not originate at that domain. An attacker will then need to find a way to exploit another weakness that would enable him or her to get around the single origin policy protection.

Attack Execution Flow

  1. Determine if HTTP Trace is enabled:

    Determine if HTTP Trace is enabled at the web server with which the victim has a an active session

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments

    An attacker may issue an HTTP Trace request to the target web server and observe if the response arrives with the original request in the body of the response.



    IDtypeIndicator DescriptionEnvironments

    HTTP Trace is enabled on the web server



    IDtypeOutcome Description
    The original request is returned after the HTTP Trace request.
  1. Identify mechanism to launch HTTP Trace request:

    The attacker attempts to force the victim to issue an HTTP Trace request to the targeted application.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments

    The attacker probes for cross-site scripting vulnerabilities to force the victim into issuing an HTTP Trace request.



    IDtypeOutcome Description
    Attacker's script is executed within the browser context.
  1. Create a malicious script that pings the web server with HTTP TRACE request:

    Create a malicious script that will induce the victim's browser to issue an HTTP TRACE request to the destination system's web server. The script will further intercept the response from the web server, pick up sensitive information out of it, and forward to the site controlled by the attacker.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments

    The attacker's malicious script circumvents the httpOnly cookie attribute that prevents from hijacking the victim's session cookie directly using document.cookie and instead leverages the HTTP TRACE to catch this information from the header of the HTTP request once it is echoed back from the web server in the body of the HTTP TRACE response.

  2. Execute malicious HTTP Trace launching script:

    The attacker leverages a vulnerability to force the victim to execute the malicious HTTP Trace launching script

+ Attack Prerequisites

HTTP TRACE is enabled on the web server

The destination system is susceptible to XSS or an attacker can leverage some other weakness to bypass the single origin policy

Scripting is enabled in the client's browser

HTTP is used as the communication protocol between the server and the client

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • Protocol Manipulation
  • Injection
+ Examples-Instances


An attacker determines that a particular system is vulnerable to reflected cross-site scripting (XSS) and endeavors to leverage this weakness to steal the victim's authentication cookie. An attacker realizes that since httpOnly attribute is set on the user's cookie, it is not possible to steal it directly with his malicious script. Instead, the attacker has his script use XMLHTTP ActiveX control in the victim's IE browser to issue an HTTP TRACE to the target system's server which has HTTP TRACE enabled. The original HTTP TRACE request contains the session cookie and so does the echoed response. The attacker picks the session cookie from the body of HTTP TRACE response and ships it to the attacker. The attacker then uses the newly acquired victim's session cookie to impersonate the victim in the target system.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Medium

Understanding of the HTTP protocol and an ability to craft a malicious script

+ Resources Required

No specialized resources are needed

+ Probing Techniques

Send HTTP TRACE requests to the destination web server to see if it responds

+ Solutions and Mitigations

Administrators should disable support for HTTP TRACE at the destination's web server. Vendors should disable TRACE by default.

Patch web browser against known security origin policy bypass exploits.

+ Attack Motivation-Consequences
  • Information Leakage
  • Privilege Escalation
  • Data Modification
+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
693Protection Mechanism FailureTargeted
648Incorrect Use of Privileged APIsTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern86Embedding Script (XSS ) in HTTP Headers 
Mechanism of Attack (primary)1000
+ Relevant Security Requirements

Turn off HTTP TRACE on the web server (if not needed)

+ Related Security Principles
  • Complete Mediation

  • Secure by Default

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Medium
+ Technical Context
Architectural Paradigms
+ References

+ Content History
Evgeny LebanidzeCigital, Inc2009-01-12Initial core pattern content
Sean BarnumCigital Federal, Inc.2009-04-20Refinement of pattern content