In January 2003 Jeremiah Grossman divulged a method to bypass the HttpOnly1 cookie restriction. He named it Cross-Site Tracing (XST), unwittingly starting a trend to attach “cross-site” to as many web-related vulnerabilities as possible.
var xhr = new XMLHttpRequest(); xhr.open('TRACE', 'http://test.lab/', false); xhr.send(null); if(200 == xhr.status) alert(xhr.responseText);
The following image shows one possible response. Notice the text in red. The browser added the Authorization and Cookie headers to the XHR request, which have been reflected by the server:
We’ll see if any of those actually catch on for the next OWASP Top 10 list.
1 HttpOnly was introduced by Microsoft in Internet Explorer 6 Service Pack 1, which was released September 9, 2002. It was created to mitigate, not block, XSS exploits that explicitly attacked cookie values. It wasn’t a method for preventing html injection (a.k.a cross-site scripting or XSS) vulnerabilities from occurring in the first place. Mozilla magnanimously adopted in it FireFox 22.214.171.124 four and a half years later.
2 Section 9.8 of the HTTP/1.1 RFC.
3 Security always has nuanced exceptions. Merely requesting “TRACE /<script>alert(42)</script> HTTP/1.0” might be stored in the web server’s log file or a database. If some log parsing tool renders requests like this to a web page without filtering the content, then HTML injection once again becomes possible. This is often referred to as second order XSS — when a payload is injected via one application, stored, then rendered by a separate web app.