Ask the Expert

Cross-site tracing vs. Cross-site scripting

What is cross-site tracing? Is it similar to XSS?

    Requires Free Membership to View

Cross-site tracing (XST) is indeed similar to cross-site scripting (XSS), but it relies on a different HTTP method for sending data. With both XSS and XST, an attacker crafts a browser script that is then bounced through a Web server and transmitted to a victim's browser unfiltered. The script runs in the browser and in the context of a given Web application. It can then steal cookies, engage in Web transactions as that user or participate in other mayhem. So, in that regard, the two attacks have a lot in common.

But, the more familiar (and common) XSS typically relies on HTTP GET or POST request methods. Both requests are commonly used for sending variables from browsers to servers. GET does so via the URL, and POST via form elements.

XST, on the other hand, relies on the HTTP TRACE method, which was designed to allow for echoing characters off of a Web server. With a Web server that supports the TRACE method, you can send data, and the server will reflect that exact data back, a useful feature if you have to debug Web server or network problems.

But, if a Web server supports the TRACE method, an attacker can craft a special HTTP request that bounces malicious scripts into a victim's browser, resulting in an XST attack. The vast majority of environments do not need the TRACE method in their production environments. Thus, if you run a Web server, either disable or block the TRACE method. In Apache, you can do this by utilizing mod_rewrite. On IIS, the same can be done with UrlScan. Other types of Web server have specific configuration options to block TRACE.

More information:

This was first published in February 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: