2

Let's assume we are talking about top 10 most used web browsers: Usage share of web browsers

https://www.cgisecurity.com/questions/httptrace.shtml

'TRACE' is a HTTP request method used for debugging which echo's back input back to the user. Jeremiah Grossman from Whitehatsec posted a paper outlining a risk allowing an attacker to steal information including Cookies, and possibly website credentials. http://www.apacheweek.com suggests the following solution to disable the HTTP TRACE method by using mod_rewrite.

"TRACE requests can be disabled by making a change to the Apache server configuration. Unfortunately it is not possible to do this using the Limit directive since the processing for the TRACE request skips this authorisation checking. Instead the following lines can be added which make use of the mod_rewrite module.

RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]" - www.apacheweek.com

and an answer from 2012:

How to exploit HTTP Methods

TRACE - this is the surprising one... Again, a diagnostic method (as @Jeff mentioned), that returns in the response body, the entire HTTP Request. This includes the request body, but also the request headers, including e.g. cookies, authorization headers, and more. Not too surprising, this can be substantially misused, such as the classic Cross-Site Tracing (XST) attack, wherein an XSS vector can be utilized to retrieve HttpOnly cookies, authorization headers, and such. This should definitely be disabled.

It was possible to exploit it like 10 or 15 years ago with JavaScript (now JS is not allowed to make HTTP TRACE requests) and was possible to exploit it with Flash, but now Flash can be officially considered as dead.

Are there still any ways to exploit HTTP TRACE (if it is enabled on the server)?


This OWASP article is currently pretty useless, but I put it here: Cross Site Tracing (it is still interesting as history of hacking). It was discovered by Jeremiah Grossman (2003): https://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf


EDIT

In the comment section it was mentioned that most modern web servers aren't using HTTP TRACE at all. Well per default HTTP TRACE is disabled or requires some additional modules. But it still exists and is there for debugging purposes.

(February 2019) Below are the latest statistics of the market share of all sites of the top web servers on the Internet by W3Techs (https://en.wikipedia.org/wiki/Web_server):

Anders
  • 64,406
  • 24
  • 178
  • 215
Awaaaaarghhh
  • 562
  • 2
  • 18
  • Most severs only allow GET POST AND OPTIONS – yeah_well Aug 23 '19 at 14:56
  • Technically, Flash is still alive until the "end of 2020." – gowenfawr Aug 23 '19 at 14:59
  • @gowenfawr, 1 year and 3 months left. I mean there was enough time to shift from flash to html5 & JS. Flash is slready unusable on Firefox and Chrome, because you have to enable it in settings and it is too complicated for most users, so they will just close the tab and go to the next site without flash. – Awaaaaarghhh Aug 23 '19 at 15:13
  • Here is another interesting question about TRACE: https://security.stackexchange.com/questions/56955/is-the-http-trace-method-a-security-vulnerability - where a person says: "If you are not going to use TRACE method then in my opinion it should be switched off. **It will prevent your app not only against XST, but also against undiscovered vulnerabilities related to this channel, which can be found in the future**". Honestly I was not able to find any bugs, by searching on google, related to *TRACE* on *firefox* and *google chrome*. – Awaaaaarghhh Aug 23 '19 at 15:22

1 Answers1

0

The difficulty of letting your browser send a TRACE request is probably the main reason abusing is difficult these days.

The primary weakness I would still expect to be present would be disclosure of sensitive HTTP headers, which is nowadays the textbook TRACE example challenge.

In terms of XSS, this is determining on the web server, since it is just a regular HTTP response with content rendered to the user. If the web server sends an unencoded response without strict Content-Type/X-Content-Type-Options headers, XSS could be possible. The road to actual exploitation would be a very long one, still.

Wouter
  • 397
  • 1
  • 12