Is it still possible to use HTTP TRACE for XSS in modern Web Browsers?
Let's assume we are talking about top 10 most used web browsers: Usage share of web browsers
https://www.cgisecurity.com/questions/httptrace.shtml
'TRACE' is a HTTP request method used for debugging which echo's back input back to the user. Jeremiah Grossman from Whitehatsec posted a paper outlining a risk allowing an attacker to steal information including Cookies, and possibly website credentials. http://www.apacheweek.com suggests the following solution to disable the HTTP TRACE method by using mod_rewrite.
"TRACE requests can be disabled by making a change to the Apache server configuration. Unfortunately it is not possible to do this using the Limit directive since the processing for the TRACE request skips this authorisation checking. Instead the following lines can be added which make use of the mod_rewrite module.
RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]" - www.apacheweek.com
and an answer from 2012:
TRACE - this is the surprising one... Again, a diagnostic method (as @Jeff mentioned), that returns in the response body, the entire HTTP Request. This includes the request body, but also the request headers, including e.g. cookies, authorization headers, and more. Not too surprising, this can be substantially misused, such as the classic Cross-Site Tracing (XST) attack, wherein an XSS vector can be utilized to retrieve HttpOnly cookies, authorization headers, and such. This should definitely be disabled.
It was possible to exploit it like 10 or 15 years ago with JavaScript (now JS is not allowed to make HTTP TRACE requests) and was possible to exploit it with Flash, but now Flash can be officially considered as dead.
Are there still any ways to exploit HTTP TRACE (if it is enabled on the server)?
This OWASP article is currently pretty useless, but I put it here: Cross Site Tracing (it is still interesting as history of hacking). It was discovered by Jeremiah Grossman (2003): https://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
EDIT
In the comment section it was mentioned that most modern web servers aren't using HTTP TRACE at all. Well per default HTTP TRACE is disabled or requires some additional modules. But it still exists and is there for debugging purposes.
(February 2019) Below are the latest statistics of the market share of all sites of the top web servers on the Internet by W3Techs (https://en.wikipedia.org/wiki/Web_server):
- Apache (44.3%), TRACE: https://httpd.apache.org/docs/2.4/mod/core.html#traceenable
- nginx (41.0%), TRACE: NGINX / HTTP TRACE (NGX_HTTP_NOT_ALLOWED)
