Detecting possible XST vulnerabilities
Cross-Site Scripting (XSS) vulnerabilities cause XST vulnerabilities in web servers where the TRACE
HTTP method is enabled. This technique is mainly used to bypass cookie restrictions imposed by the httpOnly
directive. Penetration testers can save time using Nmap to determine whether the web server has the TRACE
method quickly.
This recipe describes how to use Nmap to check whether the TRACE
HTTP method is enabled and susceptible to possible XST vulnerabilities.
How to do it...
To detect exploitable XST vulnerabilities with Nmap, follow these steps:
- Open a terminal and enter the following Nmap command:
$ nmap -sV --script http-methods,http-trace --script-args http-methods.retest <target>
- If
TRACE
is enabled and accessible, we should see something like this:PORT STATE SERVICE 80/tcp     open http |_http-trace: TRACE is enabled | http-methods: GET HEAD POST OPTIONS TRACE | Potentially risky methods...