Amit Klein has written a new article entitled "XST Strikes Back (or perhaps "Return from the Proxy"…)". Whatever
the final title may be it outlines how XST vulnerabilities can still exist when a proxy server is in front of
the server that an attacker is wishing to launch the attack against.
"About three years ago, the concept of "Cross Site Tracing" [1] was
introduced to the web application security community. In essence, the
classic XST is about amplifying an existing XSS vulnerability such that
HttpOnly cookies and HTTP authentication credentials can be
compromised. This is done using a client side XmlHttpRequest object
that sends a TRACE request back to the server, receives the request
echoed back by the server's TRACE function, and extracts the
information from the echoed back request. The recommendation in [1] is
to turn off TRACE support in the web server, which indeed takes care of
the attack as described.
However, let us now consider a situation wherein there is a
proxy server somewhere between the client (browser) and the server. In
such case, it is possible to force the proxy server (at least, in
theory) to respond to the TRACE request, rather than the origin server
itself. Thus, HTTP TRACE can still be used to compromise the
credentials of the user, even if the server does not support the TRACE
request. " – Amit
Article Link: http://www.cgisecurity.com/lib/xst-strikes-back.shtml
