Cross Site Tracing (XST) vulnerabilities are caused by the existence of Cross Site Scripting vulnerabilities (XSS) in web servers where the HTTP method TRACE is enabled. This technique is mainly used to bypass cookie restrictions imposed by the directive httpOnly. Pentesters can save time by using Nmap to quickly determine if the web server has the method TRACE enabled.
This recipe describes how to use Nmap to check if TRACE is enabled and therefore vulnerable to possible Cross Site Tracing (XST) vulnerabilities.
Open a terminal and enter the following command:
$ nmap -p80 --script http-methods,http-trace --script-args http-methods.retest <target>
If TRACE is enabled and accessible, we should see something similar to this:
PORT STATE SERVICE 80/tcp open http |_http-trace: TRACE is enabled | http-methods: GET HEAD POST OPTIONS TRACE | Potentially risky methods: TRACE | See http://nmap.org/nsedoc/scripts/http-methods.html | GET / -> HTTP/1.1 200 OK | | HEAD / -> HTTP/1.1 200 OK | | POST / -> HTTP/1.1 200 OK | | OPTIONS / -> HTTP/1.1 200 OK | |_TRACE / -> HTTP/1.1 200 OK
Otherwise, http-trace won't return anything and TRACE will not be listed under http-methods:
PORT STATE SERVICE 80/tcp open http | http-methods: GET HEAD POST OPTIONS | GET / -> HTTP/1.1 200 OK | | HEAD / -> HTTP/1.1 200 OK | | POST / -> HTTP/1.1 200 OK | |_OPTIONS / -> HTTP/1.1 200 OK Nmap done: 1 IP address (1 host up) scanned in 14.41 seconds
The argument -p80 --script http-methods,http-trace --script-args http-methods.retest tells Nmap to launch the NSE scripts http-methods and http-trace on port 80 if a web server is detected, and to individually test each of the methods returned by the HTTP OPTIONS request.
http-methods was submitted by Bernd Stroessenreuther, and it sends an OPTIONS request to enumerate the methods supported by a web server.
The script http-trace was written by me, and its purpose is to detect the availability of the HTTP method TRACE. It simply sends a TRACE request and looks for a status 200 code, or the same request is echoed back by the server.
By setting the script argument http-methods.retest, we can test each HTTP method listed by OPTIONS, and analyze the return value to conclude if TRACE is accessible and not blocked by a firewall or configuration rules.
$ nmap -p80 --script http-methods,http-trace --script-args http-methods.retest <target> PORT STATE SERVICE 80/tcp open http |_http-trace: TRACE is enabled | http-methods: GET HEAD POST OPTIONS TRACE | Potentially risky methods: TRACE | See http://nmap.org/nsedoc/scripts/http-methods.html | GET / -> HTTP/1.1 200 OK | | HEAD / -> HTTP/1.1 200 OK | | POST / -> HTTP/1.1 200 OK | | OPTIONS / -> HTTP/1.1 200 OK | |_TRACE / -> HTTP/1.1 200 OK
Remember that the method TRACE could be enabled and not listed by OPTIONS, so it is important to run both of the scripts http-methods and http-trace to get better results.
Use the arguments http-trace.path and http-methods.url-path to request a path different than the root folder ( / ):
$ nmap -p80 --script http-methods,http-trace --script-args http-methods.retest,http-trace.path=/secret/,http-methods.url-path=/secret/ <target>
- The Checking if an HTTP proxy is open recipe
- The Discovering interesting files and directories on various web servers recipe
- The Detecting web application firewalls recipe
- The Finding SQL injection vulnerabilities in web applications recipe
- The Detecting web servers vulnerable to slowloris denial of service attacks recipe