Saturday, January 12, 2008

Vulnerability Series: HTTP Trace XSS

The HTTP Protocol (RFC 2616) allows for a number of options including:

  • ALLOW: (OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK)
  • PUBLIC: (OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH)

which provide for a number of functional components within the protocol (for a complete review of the HTTP standard, you may wish to visit RFC 2616 - Hypertext Transfer Protocol -- HTTP/1.1). Specifically, the TRACE method allows for the invocation of a remote loopback of the request message initiated by the client. The TRACE method allows the submitting client to view what is being received at the other end of the connection in hopes that the information might provide information and used as a debugging tool.

How to apply this attack

With TRACE enabled on the server, it is possible to utilize a Cross-Site Scripting attack and force a client to execute HTTP requests. As with many of the XSS-based vulnerabilites, a target for this vulnerability might be authentication information such as cookies, session id's, etc. Submitting a TRACE request to the server such as:

TRACE /<>alert(12345);< /script > HTTP/1.1
Referer: http://site/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Pragma: no-cache
Host: site
Connection: Keep-Alive
Cookie: 12345123451234512345

Typically, this request is performed with some type of intermediary tool such as:

  • Localhost Proxy (with the ability to intercept)
  • HTTP Editor
  • Telnet

By passing the script injections in the header of the HTTP request to the target, an attacker is able to execute the HTTP Trace attack.

Remediation

Please consult the following US-CERT documentation for remediation.

+++++EOF+++++