ABOUT ME

    -

    Today
    -
    Yesterday
    -
    Total
    -
    • Cross-site tracing(XST)
      Web/Security 2019. 9. 7. 11:43

      1. Overview

      In web security, cross-site tracing (abbreviated "XST") is a network security vulnerability exploiting the HTTP TRACE method.

      XST scripts exploit ActiveX, Flash, or any other controls that allow executing an HTTP TRACE request. The HTTP TRACE response includes all the HTTP headers including authentication data and HTTP cookie contents, which are then available to the script. In combination with cross domain access flaws in web browsers, the exploit is able to collect the cached credentials of any web site, including those utilizing SSL.

      2. Example

      the URL in the browser for a page showing the results for a search for “products” might be:

      http://www.example.com/search.php?query=products

       Now, take the following cases:

      2.1 When HttpOnly cookies are not deployed, and TRACE is enabled

      The attacker might post a modified link, such as this:

      http://www.example.com/search.php?query=<script>alert(document.cookie)</script>

      This harmless example will cause the victim’s browser to pop up an alert box, showing their current set of cookies.

      2.2 When HttpOnly cookies are deployed but TRACE is still enabled

      function sendTrace() {
var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
           xmlHttp.open("TRACE", "https://www.foobar.com/extranet/",false);
xmlHttp.send();
xmlDoc=xmlHttp.responseText;
alert(xmlDoc);
}
<input type=button OnClick="sendTrace();" value="Send Trace Request">

      3. Prevention

      • The first and foremost security measure is to disable the TRACE request method (unless needed) on your web servers.
      • Moreover, Web-server vendors should have TRACE disabled in the web-server’s default “out-of-the-box” configuration.
      • Proxy servers should also be shipped with TRACE disabled in their default configurations.
      • Disable TRACE in your browser’s XmlHttpRequest object too. For this, check the support page of your browser’s vendor.
      • For all Internet Explorer users: if you must continue using Internet Explorer, switch to version 7 or 8, because they seem to have patches for this attack. However, the far better path, which I recommend, is for you to use the latest versions of Mozilla Firefox (>3.2) instead.

      4. References

      http://infosec.vishalmishra.in/2013/02/cross-site-tracing.html

      https://en.wikipedia.org/wiki/Cross-site_tracing

      https://opensourceforu.com/2010/12/securing-apache-part-4-xst-xshm/

      'Web > Security' 카테고리의 다른 글

      Secure Socket Layer (SSL) and Transport Layer Security (TLS)  (0) 2019.09.28
      Server-side request forgery  (0) 2019.09.07
      Cross-site request forgery(CSRF)  (0) 2019.09.07
      SQL Injection  (0) 2019.09.07
      Secure coding  (0) 2019.09.06

      관련글 관련글 더보기

      댓글

    Designed by Tistory.

    티스토리툴바