TRACE method with XST
TRACE method.
Today, i will presente one solution. TRACE method. We known many HTTP reports: GET POST OPTION...
But we will focus one method: TRACE. If we use it, it will give copy of our request:
icesurfer@nightblade ~ $ nc victim.com 80
TRACE / HTTP/1.1
Host: victim.comHTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 31 Oct 2006 08:01:48 GMT
Connection: close
Content-Type: message/http
Content-Length: 39TRACE / HTTP/1.1
Host: victim.com
Now, i am goting to talk about: httponly. It is one mechanism to protect cookie. HttpOnly is an additional flag included in a Set-Cookie HTTP response header. f the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script.
So, we can use it to prevent XSS attack. But if server support TRACE method, we will east bypass it.
Now, we must review before example. TRACE method will give me all all request, that mean we will access cookie, which was tagged httponly. Remember that we can not access cookie by using client script ( javascrpt)
There are multiple ways to make a browser issue a TRACE request, such as the XMLHTTP ActiveX control in Internet Explorer and XMLDOM in Mozilla and Netscape. Easest way is use jquery ajax. However, for security reasons the browser is allowed to start a connection only to the domain where the hostile script resides. This is a mitigating factor, as the attacker needs to combine the TRACE method with another vulnerability in order to mount the attack. Basically, an attacker has two ways to successfully launch a Cross Site Tracing attack:
Create one site use malicious script to generate TRACE method.
Using server vulnerabity to inject script contain TRACE request.
------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.
Nam Habach