Cross-site tracing vs. Cross-site scripting

Cross-site tracing, slightly different from cross-site scripting, can still do some significant damage to your Web applications. In this Q&A, information security threats expert Ed Skoudis reveals how each attack is carried out.

What is cross-site tracing? Is it similar to XSS?

Cross-site tracing (XST) is indeed similar to cross-site scripting (XSS), but it relies on a different HTTP method for sending data. With both XSS and XST, an attacker crafts a browser script that is then bounced through a Web server and transmitted to a victim's browser unfiltered. The script runs in the browser and in the context of a given Web application. It can then steal cookies, engage in Web transactions as that user or participate in other mayhem. So, in that regard, the two attacks have a lot in common.

But, the more familiar (and common) XSS typically relies on HTTP GET or POST request methods. Both requests are commonly used for sending variables from browsers to servers. GET does so via the URL, and POST via form elements.

XST, on the other hand, relies on the HTTP TRACE method, which was designed to allow for echoing characters off of a Web server. With a Web server that supports the TRACE method, you can send data, and the server will reflect that exact data back, a useful feature if you have to debug Web server or network problems.

But, if a Web server supports the TRACE method, an attacker can craft a special HTTP request that bounces malicious scripts into a victim's browser, resulting in an XST attack. The vast majority of environments do not need the TRACE method in their production environments. Thus, if you run a Web server, either disable or block the TRACE method. In Apache, you can do this by utilizing mod_rewrite. On IIS, the same can be done with UrlScan. Other types of Web server have specific configuration options to block TRACE.

More information:

  • Learn the tactics that can prevent cross-site scripting attacks.
  • Visit's application attacks resource center.
This was last published in February 2007

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)