XST Attack Methods#
The full name of XST is Cross-Site Tracing, which is translated as "跨站式追踪攻击" in Chinese. Specifically, it is when the client sends a TRACE / TRACK request to the server, and if the server implements the TRACE / TRACK response according to the standard, the complete header information of the request will be returned in the response body. Through this method, the client can obtain certain sensitive header fields, such as httpOnly cookies.
It can be seen that the attack principle of XST is very simple. After obtaining the cookie information or other sensitive information through XST attacks, attackers can launch XSS, CSRF, man-in-the-middle attacks, etc. Although it seems harmless, the potential danger is enormous. XST attacks alone do not cause substantial harm to the server. The real impact is the exposure of sensitive header data, such as cookies with the httpOnly attribute, which are prohibited from being accessed by front-end JavaScript (such as document.cookie) to prevent them from being sent to third parties. However, even in this case, the TRACE method can be used to bypass this protection and access the cookie. Therefore, XST is also known as Trace leakage attack, Trace header reflection, Trace method injection (TMI), Trace Header Cookie attack (THC).
Conditions for XST attacks:
- The target web server needs to allow Trace and Track methods requests.
- The client can send Trace and Track methods requests. (This type of request has been eliminated in the current browser environment)
Here's an example. Here, I have built a simple web server using Express that accepts a Trace method request:
import express from 'express'
import cookieParser from 'cookie-parser'
const app = express()
app.use(cookieParser())
app.use('/', (req, res, next) => {
res.cookie('account', 'airing', { maxAge: 900000, httpOnly: true })
return res.json(req.headers)
})
app.listen(3000)
We can use the TRACE method to request with the Cookie, and we can see that the Cookie can be sent (in Chrome 24 environment):
var xhr = new XMLHttpRequest();
xhr.open('TRACE', 'http://127.0.0.1:3000/', false);
xhr.withCredentials = true
xhr.setRequestHeader('Cookie', 'account=airingursb');
xhr.send(null);
if(200 == xhr.status) console.log(xhr.responseText);
The real result of XST is that it exposes HTTP headers that JavaScript cannot usually access. httpOnly should prevent JavaScript from reading and sending cookies to the server, but XST successfully bypasses the httpOnly restriction. In addition, the Authentication header used for HTTP Basic Auth is just the Base64-encoded username and password, not part of the DOM, so it should not be directly accessible by JavaScript. However, if XST is used, it can also bypass this restriction. All these sensitive information are exposed through just one Trace request.
XST Defense Methods#
Preventing XST attacks is very simple, just restrict the Trace and Track methods requests on the web server. In addition, XMLHTTPRequest has already eliminated Trace and Track methods requests (since Chrome 25 and FireFox 19 versions). If you try to make a Trace / Track method request, a SecurityError exception will be thrown, which fundamentally prevents XST attacks.
var xhr = new XMLHttpRequest();
xhr.open('TRACE', 'http://localhost:3000/', false);
xhr.send(null);
if(200 == xhr.status) console.log(xhr.responseText);
Also, starting from FireFox 43, insecure fields like cookies are also prohibited from being sent in the request headers. See Forbidden header name | MSD for more details.
Although modern browsers are becoming more and more secure, XST has become history, but it leaves a warning for us web developers - we must pay attention to security and rigor when writing code.