{{Refimprove, date=July 2007
In web security, cross-site tracing (abbreviated "XST") is a network security vulnerability exploiting the
HTTP
HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...
TRACE method.
XST scripts exploit
ActiveX
ActiveX is a deprecated software framework created by Microsoft that adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, particularly from the World Wide W ...
, Flash, or any other controls that allow executing an HTTP TRACE request. The HTTP TRACE response includes all the HTTP headers including authentication data and
HTTP cookie
HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small block of data (computing), data created by a web server while a user (computing), user is browsing a website and placed on the user's computer o ...
contents, which are then available to the script. In combination with cross domain access flaws in
web browser
A web browser, often shortened to browser, is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's scr ...
s, the exploit is able to collect the cached
credentials
A credential is a piece of any document that details a qualification, competence, or authority issued to an individual by a third party with a relevant or '' de facto'' authority or assumed competence to do so.
Examples of credentials include ac ...