capec.mitre.org
Open in
urlscan Pro
192.52.194.205
Public Scan
Submitted URL: http://capec.mitre.org/data/definitions/107.html
Effective URL: https://capec.mitre.org/data/definitions/107.html
Submission: On December 12 via api from GB — Scanned from GB
Effective URL: https://capec.mitre.org/data/definitions/107.html
Submission: On December 12 via api from GB — Scanned from GB
Form analysis 1 forms found in the DOM
/cgi-bin/jumpmenu.cgi
<form action="/cgi-bin/jumpmenu.cgi" style="margin-bottom:0.1em;vertical-align:center;">
<label for="id" style="padding-right:5px">ID Lookup:</label>
<input id="id" name="id" type="text" style="width:50px; font-size:80%" maxlength="10">
<input value="Go" style="padding: 0px; font-size:80%" type="submit">
</form>Text Content
COMMON ATTACK PATTERN ENUMERATION AND CLASSIFICATION
A Community Resource for Identifying and Understanding Attacks
Home > CAPEC List > CAPEC-107: Cross Site Tracing (Version 3.9)
ID Lookup:
--------------------------------------------------------------------------------
* Home
* About
Overview Board Glossary Use Cases Resources Documents FAQs New to CAPEC?
* CAPEC List
Latest Version Downloads Reports Archive
* Community
Community Citations Organization Usage Related Activities Discussion List
Discussion Archives CAPEC User Summit
* News
Current News CAPEC on Twitter CAPEC on LinkedIn CAPEC Blog CAPEC Podcast
CAPEC on YouTube News Archive
* Search
CAPEC-107: CROSS SITE TRACING
Attack Pattern ID: 107
Abstraction: Detailed
View customized information:
Conceptual Operational Mapping-Friendly Complete
Description
Cross Site Tracing (XST) enables an adversary to steal the victim's session
cookie and possibly other authentication credentials transmitted in the header
of the HTTP request when the victim's browser communicates to a destination
system's web server.
Extended Description
The adversary uses an XSS attack to have victim's browser sent an HTTP TRACE
request to a destination web server, which will proceed to return a response to
the victim's web browser that contains the original HTTP request in its body.
Since the HTTP header of the original HTTP TRACE request had the victim's
session cookie in it, that session cookie can now be picked off the HTTP TRACE
response and sent to the adversary's malicious site. XST becomes relevant when
direct access to the session cookie via the "document.cookie" object is disabled
with the use of httpOnly attribute which ensures that the cookie can be
transmitted in HTTP requests but cannot be accessed in other ways. Using SSL
does not protect against XST. If the system with which the victim is interacting
is susceptible to XSS, an adversary can exploit that weakness directly to get
their malicious script to issue an HTTP TRACE request to the destination
system's web server.
Likelihood Of Attack
Medium
Typical Severity
Very High
Relationships
This table shows the other attack patterns and high level categories that are
related to this attack pattern. These relationships are defined as ChildOf and
ParentOf, and give insight to similar items that may exist at higher and lower
levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and
CanAlsoBe are defined to show similar attack patterns that the user may want to
explore.
NatureTypeIDNameChildOfStandard Attack Pattern - A standard level attack pattern
in CAPEC is focused on a specific methodology or technique used in an attack. It
is often seen as a singular piece of a fully executed attack. A standard attack
pattern is meant to provide sufficient details to understand the specific
technique and how it attempts to accomplish a desired goal. A standard level
attack pattern is a specific type of a more abstract meta level attack
pattern.593Session HijackingCanFollowStandard Attack Pattern - A standard level
attack pattern in CAPEC is focused on a specific methodology or technique used
in an attack. It is often seen as a singular piece of a fully executed attack. A
standard attack pattern is meant to provide sufficient details to understand the
specific technique and how it attempts to accomplish a desired goal. A standard
level attack pattern is a specific type of a more abstract meta level attack
pattern.63Cross-Site Scripting (XSS)
This table shows the views that this attack pattern belongs to and top level
categories within that view.
View NameTop Level CategoriesDomains of AttackSoftwareMechanisms of
AttackSubvert Access Control
Execution Flow
Explore
1. Determine if HTTP Trace is enabled: Determine if HTTP Trace is enabled at
the web server with which the victim has an active session
TechniquesAn adversary may issue an HTTP Trace request to the target web
server and observe if the response arrives with the original request in the
body of the response.
Experiment
1. Identify mechanism to launch HTTP Trace request: The adversary attempts to
force the victim to issue an HTTP Trace request to the targeted application.
TechniquesThe adversary probes for cross-site scripting vulnerabilities to
force the victim into issuing an HTTP Trace request.
Exploit
1. Create a malicious script that pings the web server with HTTP TRACE request:
The adversary creates a malicious script that will induce the victim's
browser to issue an HTTP TRACE request to the destination system's web
server. The script will further intercept the response from the web server,
pick up sensitive information out of it, and forward to the site controlled
by the adversary.
TechniquesThe adversary's malicious script circumvents the httpOnly cookie
attribute that prevents from hijacking the victim's session cookie directly
using document.cookie and instead leverages the HTTP TRACE to catch this
information from the header of the HTTP request once it is echoed back from
the web server in the body of the HTTP TRACE response.
2. Execute malicious HTTP Trace launching script: The adversary leverages an
XSS vulnerability to force the victim to execute the malicious HTTP Trace
launching script
3. Intercept HTTP TRACE response: The adversary's script intercepts the HTTP
TRACE response from teh web server, glance sensitive information from it,
and forward that information to a server controlled by the adversary.
Prerequisites
HTTP TRACE is enabled on the web server The destination system is susceptible to
XSS or an adversary can leverage some other weakness to bypass the same origin
policy Scripting is enabled in the client's browser HTTP is used as the
communication protocol between the server and the client
Skills Required
[Level: Medium]
Understanding of the HTTP protocol and an ability to craft a malicious script
Resources Required
None: No specialized resources are required to execute this type of attack.
Consequences
This table specifies different individual consequences associated with the
attack pattern. The Scope identifies the security property that is violated,
while the Impact describes the negative technical impact that arises if an
adversary succeeds in their attack. The Likelihood provides information about
how likely the specific consequence is expected to be seen relative to the other
consequences in the list. For example, there may be high likelihood that a
pattern will be used to achieve a certain impact, but a low likelihood that it
will be exploited to achieve a different impact.
ScopeImpactLikelihood
Confidentiality
Read Data
Confidentiality
Access Control
Authorization
Gain Privileges
Integrity
Modify Data
Mitigations
Administrators should disable support for HTTP TRACE at the destination's web
server. Vendors should disable TRACE by default. Patch web browser against known
security origin policy bypass exploits.
Example Instances
An adversary determines that a particular system is vulnerable to reflected
cross-site scripting (XSS) and endeavors to leverage this weakness to steal the
victim's authentication cookie. An adversary realizes that since httpOnly
attribute is set on the user's cookie, it is not possible to steal it directly
with their malicious script. Instead, the adversary has their script use XMLHTTP
ActiveX control in the victim's IE browser to issue an HTTP TRACE to the target
system's server which has HTTP TRACE enabled. The original HTTP TRACE request
contains the session cookie and so does the echoed response. The adversary picks
the session cookie from the body of HTTP TRACE response and ships it to the
adversary. The adversary then uses the newly acquired victim's session cookie to
impersonate the victim in the target system.
In the absence of an XSS weakness on the site with which the victim is
interacting, an adversary can get the script to come from the site that they
control and get it to execute in the victim's browser (if they can trick the
victim's into visiting their malicious website or clicking on the link that they
supplies). However, in that case, due to the same origin policy protection
mechanism in the browser, the adversary's malicious script cannot directly issue
an HTTP TRACE request to the destination system's web server because the
malicious script did not originate at that domain. An adversary will then need
to find a way to exploit another weakness that would enable them to circumvent
the same origin policy protection.
Related Weaknesses
A Related Weakness relationship associates a weakness with this attack pattern.
Each association implies a weakness that must exist for a given attack to be
successful. If multiple weaknesses are associated with the attack pattern, then
any of the weaknesses (but not necessarily all) may be present for the attack to
be successful. Each related weakness is identified by a CWE identifier.
CWE-IDWeakness Name 693Protection Mechanism Failure 648Incorrect Use of
Privileged APIs
Taxonomy Mappings
CAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline
and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated
by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that
the ATT&CK Enterprise Framework does not use an inheritance model as part of the
mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (see parent)
Relevant to the OWASP taxonomy mapping
Entry NameCross Site Tracing
References
[REF-3] Jeremiah Grossman. "Cross-Site Tracing (XST)". WhiteHat Security. 2003.
<http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf>.
Content History
SubmissionsSubmission DateSubmitterOrganization2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE CorporationModificationsModification
DateModifierOrganization2017-05-01
(Version 2.10)
CAPEC Content TeamThe MITRE CorporationUpdated Related_Attack_Patterns2017-08-04
(Version 2.11)
CAPEC Content TeamThe MITRE CorporationUpdated Attack_Phases,
Attack_Prerequisites, Description Summary, Examples-Instances,
Resources_Required2020-07-30
(Version 3.3)
CAPEC Content TeamThe MITRE CorporationUpdated Description,
Example_Instances2020-12-17
(Version 3.4)
CAPEC Content TeamThe MITRE CorporationUpdated Description, Example_Instances,
Execution_Flow, Related_Attack_Patterns, Taxonomy_Mappings2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE CorporationUpdated Description, Extended_Description
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018
Site Map | Terms of Use | Manage Cookies | Privacy Policy | Contact Us |
Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the
associated references from this website are subject to the Terms of Use. CAPEC
is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and
Infrastructure Security Agency (CISA) and managed by the Homeland Security
Systems Engineering and Development Institute (HSSEDI) which is operated by The
MITRE Corporation (MITRE). Copyright © 2007–2023, The MITRE Corporation. CAPEC
and the CAPEC logo are trademarks of The MITRE Corporation.