CAPEC-107: Cross Site Tracing

Description
Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to a destination system's web server.
Extended Description

The adversary uses an XSS attack to have victim's browser sent an HTTP TRACE request to a destination web server, which will proceed to return a response to the victim's web browser that contains the original HTTP request in its body. Since the HTTP header of the original HTTP TRACE request had the victim's session cookie in it, that session cookie can now be picked off the HTTP TRACE response and sent to the adversary's malicious site. XST becomes relevant when direct access to the session cookie via the "document.cookie" object is disabled with the use of httpOnly attribute which ensures that the cookie can be transmitted in HTTP requests but cannot be accessed in other ways. Using SSL does not protect against XST. If the system with which the victim is interacting is susceptible to XSS, an adversary can exploit that weakness directly to get their malicious script to issue an HTTP TRACE request to the destination system's web server.

Severity :

Very High

Possibility :

Medium

Type :

Detailed
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-63: Cross-Site Scripting (XSS) Cross-Site Scripting (XSS) CAPEC-593: Session Hijacking Session Hijacking
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • HTTP TRACE is enabled on the web server
  • The destination system is susceptible to XSS or an adversary can leverage some other weakness to bypass the same origin policy
  • Scripting is enabled in the client's browser
  • HTTP is used as the communication protocol between the server and the client
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium Understanding of the HTTP protocol and an ability to craft a malicious script
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

OWASP Attacks | Cross Site Tracing
Resources required

None: No specialized resources are required to execute this type of attack.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-648: Incorrect Use of Privileged APIs

CWE-693: Protection Mechanism Failure

Visit http://capec.mitre.org/ for more details.