The HTTP Protocol (RFC 2616) allows for a number of options including:
- ALLOW: (OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK)
- PUBLIC: (OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH)
which provide for a number of functional components within the protocol (for a complete review of the HTTP standard, you may wish to visit RFC 2616 - Hypertext Transfer Protocol -- HTTP/1.1). Specifically, the TRACE method allows for the invocation of a remote loopback of the request message initiated by the client. The TRACE method allows the submitting client to view what is being received at the other end of the connection in hopes that the information might provide information and used as a debugging tool.
How to apply this attack
With TRACE enabled on the server, it is possible to utilize a Cross-Site Scripting attack and force a client to execute HTTP requests. As with many of the XSS-based vulnerabilites, a target for this vulnerability might be authentication information such as cookies, session id's, etc. Submitting a TRACE request to the server such as:
TRACE /<>alert(12345);< /script > HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Typically, this request is performed with some type of intermediary tool such as:
- Localhost Proxy (with the ability to intercept)
- HTTP Editor
By passing the script injections in the header of the HTTP request to the target, an attacker is able to execute the HTTP Trace attack.
Please consult the following US-CERT documentation for remediation.