Cross Site Tracing (XST) vulnerabilities are caused by the existence of Cross Site Scripting vulnerabilities (XSS) in web servers where the HTTP method TRACE
is enabled. This technique is mainly used to bypass cookie restrictions imposed by the directive httpOnly
. Pentesters can save time by using Nmap to quickly determine if the web server has the method TRACE
enabled.
This recipe describes how to use Nmap to check if TRACE
is enabled and therefore vulnerable to possible Cross Site Tracing (XST) vulnerabilities.
Open a terminal and enter the following command:
$ nmap -p80 --script http-methods,http-trace --script-args http-methods.retest <target>
If TRACE
is enabled and accessible, we should see something similar to this:
PORT STATE SERVICE 80/tcp open http |_http-trace: TRACE is enabled | http-methods: GET HEAD POST OPTIONS TRACE | Potentially risky methods: TRACE | See http://nmap.org/nsedoc/scripts/http-methods.html | GET / -> HTTP/1.1 200 OK | | HEAD / -> HTTP/1.1 200 OK | | POST / -> HTTP/1.1 200 OK | | OPTIONS / -> HTTP/1.1 200 OK | |_TRACE / -> HTTP/1.1 200 OK
Otherwise, http-trace
won't return anything and TRACE
will not be listed under http-methods
:
PORT STATE SERVICE 80/tcp open http | http-methods: GET HEAD POST OPTIONS | GET / -> HTTP/1.1 200 OK | | HEAD / -> HTTP/1.1 200 OK | | POST / -> HTTP/1.1 200 OK | |_OPTIONS / -> HTTP/1.1 200 OK Nmap done: 1 IP address (1 host up) scanned in 14.41 seconds
The argument -p80 --script http-methods,http-trace --script-args http-methods.retest
tells Nmap to launch the NSE scripts http-methods
and http-trace
on port 80 if a web server is detected, and to individually test each of the methods returned by the HTTP OPTIONS
request.
http-methods
was submitted by Bernd Stroessenreuther, and it sends an OPTIONS
request to enumerate the methods supported by a web server.
The script http-trace
was written by me, and its purpose is to detect the availability of the HTTP method TRACE
. It simply sends a TRACE
request and looks for a status 200 code, or the same request is echoed back by the server.
By setting the script argument http-methods.retest
, we can test each HTTP method listed by OPTIONS
, and analyze the return value to conclude if TRACE
is accessible and not blocked by a firewall or configuration rules.
$ nmap -p80 --script http-methods,http-trace --script-args http-methods.retest <target> PORT STATE SERVICE 80/tcp open http |_http-trace: TRACE is enabled | http-methods: GET HEAD POST OPTIONS TRACE | Potentially risky methods: TRACE | See http://nmap.org/nsedoc/scripts/http-methods.html | GET / -> HTTP/1.1 200 OK | | HEAD / -> HTTP/1.1 200 OK | | POST / -> HTTP/1.1 200 OK | | OPTIONS / -> HTTP/1.1 200 OK | |_TRACE / -> HTTP/1.1 200 OK
Remember that the method TRACE
could be enabled and not listed by OPTIONS
, so it is important to run both of the scripts http-methods
and http-trace
to get better results.
Use the arguments http-trace.path
and http-methods.url-path
to request a path different than the root folder ( /
):
$ nmap -p80 --script http-methods,http-trace --script-args http-methods.retest,http-trace.path=/secret/,http-methods.url-path=/secret/ <target>
3.15.239.214