Q

Cross-site tracing vs. Cross-site scripting

Cross-site tracing, slightly different from cross-site scripting, can still do some significant damage to your Web applications. In this SearchSecurity.com Q&A, information security threats expert Ed Skoudis reveals how each attack is carried out.

What is cross-site tracing? Is it similar to XSS?

Cross-site tracing (XST) is indeed similar to cross-site scripting (XSS), but it relies on a different HTTP method for sending data. With both XSS and XST, an attacker crafts a browser script that is then bounced through a Web server and transmitted to a victim's browser unfiltered. The script runs in the browser and in the context of a given Web application. It can then steal cookies, engage in Web transactions as that user or participate...

in other mayhem. So, in that regard, the two attacks have a lot in common.

But, the more familiar (and common) XSS typically relies on HTTP GET or POST request methods. Both requests are commonly used for sending variables from browsers to servers. GET does so via the URL, and POST via form elements.

XST, on the other hand, relies on the HTTP TRACE method, which was designed to allow for echoing characters off of a Web server. With a Web server that supports the TRACE method, you can send data, and the server will reflect that exact data back, a useful feature if you have to debug Web server or network problems.

But, if a Web server supports the TRACE method, an attacker can craft a special HTTP request that bounces malicious scripts into a victim's browser, resulting in an XST attack. The vast majority of environments do not need the TRACE method in their production environments. Thus, if you run a Web server, either disable or block the TRACE method. In Apache, you can do this by utilizing mod_rewrite. On IIS, the same can be done with UrlScan. Other types of Web server have specific configuration options to block TRACE.

More information:

This was first published in February 2007

Dig deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close