Home > CAPEC List > CAPEC-107: Cross Site Tracing (Version 3.0)  

CAPEC-107: Cross Site Tracing

Attack Pattern ID: 107
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to destination system's web server. The adversary first gets a malicious script to run in the victim's browser that induces the browser to initiate an HTTP TRACE request to the web server. If the destination web server allows HTTP TRACE requests, it will proceed to return a response to the victim's web browser that contains the original HTTP request in its body. The function of HTTP TRACE, as defined by the HTTP specification, is to echo the request that the web server receives from the client back to the client. Since the HTTP header of the original request had the victim's session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the adversary's malicious site. XST becomes relevant when direct access to the session cookie via the "document.cookie" object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST. If the system with which the victim is interacting is susceptible to XSS, an adversary can exploit that weakness directly to get his or her malicious script to issue an HTTP TRACE request to the destination system's web server. In the absence of an XSS weakness on the site with which the victim is interacting, an adversary can get the script to come from the site that he controls and get it to execute in the victim's browser (if he can trick the victim's into visiting his malicious website or clicking on the link that he supplies). However, in that case, due to the same origin policy protection mechanism in the browser, the adversary's malicious script cannot directly issue an HTTP TRACE request to the destination system's web server because the malicious script did not originate at that domain. An adversary will then need to find a way to exploit another weakness that would enable him or her to get around the same origin policy protection.
+ Likelihood Of Attack

Medium

+ Typical Severity

Very High

+ Relationships

The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

+ Relevant to the view "Mechanisms of Attack" (CAPEC-1000)
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.593Session Hijacking
CanFollowStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.63Cross-Site Scripting (XSS)
+ Execution Flow
Explore
  1. Determine if HTTP Trace is enabled: Determine if HTTP Trace is enabled at the web server with which the victim has a an active session An adversary may issue an HTTP Trace request to the target web server and observe if the response arrives with the original request in the body of the response.

    Techniques
    An adversary may issue an HTTP Trace request to the target web server and observe if the response arrives with the original request in the body of the response.
Experiment
  1. Identify mechanism to launch HTTP Trace request: The adversary attempts to force the victim to issue an HTTP Trace request to the targeted application. The adversary probes for cross-site scripting vulnerabilities to force the victim into issuing an HTTP Trace request.

    Techniques
    The adversary probes for cross-site scripting vulnerabilities to force the victim into issuing an HTTP Trace request.
Exploit
  1. Create a malicious script that pings the web server with HTTP TRACE request: Create a malicious script that will induce the victim's browser to issue an HTTP TRACE request to the destination system's web server. The script will further intercept the response from the web server, pick up sensitive information out of it, and forward to the site controlled by the adversary. The adversary's malicious script circumvents the httpOnly cookie attribute that prevents from hijacking the victim's session cookie directly using document.cookie and instead leverages the HTTP TRACE to catch this information from the header of the HTTP request once it is echoed back from the web server in the body of the HTTP TRACE response.

    Techniques
    The adversary's malicious script circumvents the httpOnly cookie attribute that prevents from hijacking the victim's session cookie directly using document.cookie and instead leverages the HTTP TRACE to catch this information from the header of the HTTP request once it is echoed back from the web server in the body of the HTTP TRACE response.
  2. Execute malicious HTTP Trace launching script: The adversary leverages a vulnerability to force the victim to execute the malicious HTTP Trace launching script

+ Prerequisites
HTTP TRACE is enabled on the web server
The destination system is susceptible to XSS or an adversary can leverage some other weakness to bypass the same origin policy
Scripting is enabled in the client's browser
HTTP is used as the communication protocol between the server and the client
+ Skills Required
[Level: Medium]
Understanding of the HTTP protocol and an ability to craft a malicious script
+ Resources Required
None: No specialized resources are required to execute this type of attack.
+ Consequences

The table below specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Confidentiality
Read Data
Confidentiality
Access Control
Authorization
Gain Privileges
Integrity
Modify Data
+ Mitigations
Administrators should disable support for HTTP TRACE at the destination's web server. Vendors should disable TRACE by default.
Patch web browser against known security origin policy bypass exploits.
+ Example Instances
An adversary determines that a particular system is vulnerable to reflected cross-site scripting (XSS) and endeavors to leverage this weakness to steal the victim's authentication cookie. An adversary realizes that since httpOnly attribute is set on the user's cookie, it is not possible to steal it directly with his malicious script. Instead, the adversary has their script use XMLHTTP ActiveX control in the victim's IE browser to issue an HTTP TRACE to the target system's server which has HTTP TRACE enabled. The original HTTP TRACE request contains the session cookie and so does the echoed response. The adversary picks the session cookie from the body of HTTP TRACE response and ships it to the adversary. The adversary then uses the newly acquired victim's session cookie to impersonate the victim in the target system.
+ References
[REF-3] Jeremiah Grossman. "Cross-Site Tracing (XST)". WhiteHat Security. 2003. <http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-05-01CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2017-08-04CAPEC Content TeamThe MITRE Corporation
Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Resources_Required

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018