Chapter 12  ■ Attacking Other Users

respond with a message whose body contains the exact text of the 

TRACE

request that the server received. The reason that this is sometimes of value for

diagnostic purposes is that the request received by a server can be different

from the request sent by a client, because of modifications made by interven-

ing proxies, and so on. The method can be used to determine what changes are

being made to the request between client and server.

Browsers submit all cookies in HTTP requests, including requests that use

the 

TRACE

method, and including cookies flagged as 

HttpOnly

. For example:

TRACE / HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, */*

Accept-Language: en-gb,en-us;q=0.5

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET

CLR 1.1.4322)

Host: wahh-app.com

Cookie: SessId=12d1a1f856ef224ab424c2454208ff

HTTP/1.1 200 OK

Date: Thu, 01 Feb 2007 10:59:54 GMT

Server: Apache

Content-Type: message/http

Content-Length: 426

TRACE / HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, */*

Accept-Language: en-gb,en-us;q=0.5

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET

CLR 1.1.4322)

Host: wahh-app.com

Cookie: SessId=12d1a1f856ef224ab424c2454208ff

As you can see, both the request and response contain the cookie that was

flagged as 

HttpOnly

, and this behavior is what opens the door to XST attacks.

If client-side JavaScript can be used to issue a 

TRACE

request, and read the

response to that request, then the script will be able to access cookies that are

flagged as 

HttpOnly

, even though these are not accessible via the

document.cookie

property. Of course, the attack will also depend upon some

kind of XSS vulnerability, in order to inject the malicious JavaScript. What the

technique demonstrates is how an attacker who has identified an exploitable

XSS flaw can leverage the 

TRACE

method to gain access to cookies that are sup-

posed to be unavailable to it. Hence the name of the technique: cross-site

tracing.

In older browsers, XST attacks could be delivered using the 

XMLHttpRequest

object that is employed in Ajax applications. For example, in older versions of

Download 5,76 Mb.

Do'stlaringiz bilan baham: