Cross-site tracing (XST) is indeed similar to cross-site scripting (XSS), but it relies on a different HTTP method for sending data. With both XSS and XST, an attacker crafts a browser script that is then bounced through a Web server and transmitted to a victim's browser unfiltered. The script runs in the browser and in the context of a given Web application. It can then steal cookies, engage in Web transactions as that user or participate in other mayhem. So, in that regard, the two attacks have a lot in common.
But, the more familiar (and common) XSS typically relies on HTTP GET or POST request methods. Both requests are commonly used for sending variables from browsers to servers. GET does so via the URL, and POST via form elements.
XST, on the other hand, relies on the HTTP TRACE method, which was designed to allow for echoing characters off of a Web server. With a Web server that supports the TRACE method, you can send data, and the server will reflect that exact data back, a useful feature if you have to debug Web server or network problems.
But, if a Web server supports the TRACE method, an attacker can craft a special HTTP request that bounces malicious scripts into a victim's browser, resulting in an XST attack. The vast majority of environments do not need the TRACE method in their production environments. Thus, if you run a Web server, either disable or block the TRACE method. In Apache, you can do this by utilizing mod_rewrite. On IIS, the same can be done with UrlScan. Other types of Web server have specific configuration options to block TRACE.
This was first published in February 2007