-2

Could TRACE METHOD cause harm to my website?

If this request is made:

TRACE / <script>confirm("Java Script !")</script> HTTP/1.1
Host: xxxxxdomain.com
X-Wing: <script>bar()</script>

It returns a javascript confirm ( Java Script !).

What can an attacker can do with this vulnerability?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Yorke York
  • 21
  • 4
  • 1
    Please edit your question to (1) provide a more descriptive title, (2) tell us what research you've done (hint: there are other questions on this site that seem relevant). – D.W. Aug 30 '15 at 04:30

2 Answers2

1

The TRACE method is not issued by browsers for normal requests, that is you would need to do an XHR request or an HTTP request from a plugin or external tool. Since script is only executed by the browser when receiving a response to a normal GET/POST request executed by the browser for links, forms, script inclusion etc but not for manually generated requests like XHR etc that means that you cannot attack a browser this way.

But there are other attacks possible with TRACE, see OWASP for more information.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
1

May be the most serious threat that an attacker can do with TRACE is to access document.cookie property in order to hijack the victim's session. TRACE won't work in any browser (luckily).

For the case you described, it depends on the security layers implemented on the server the attacker runs it against and the question, as it is asked, is too broad to answer exactly. But put in your mind that the attacker will get information on how the server responds to a given request.

For curiosity, run this on Terminal (216.58.209.100= www.google.com):

curl -X TRACE 216.58.209.100

You will get this error message:

Error 405 (Method Not Allowed)!!1