Cross-site tracing (XST) is a sophisticated form of cross-site scripting (XSS) that can bypass security countermeasures already put in place to protect against XSS. A Cross-Site Tracing (XST) attack involves the use of Cross-site Scripting (XSS) and the TRACE or TRACK HTTP methods.
TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information.”, the TRACK method works in the same way but is specific to Microsoft’s IIS web server. XST could be used as a method to steal user’s cookies via Cross-site Scripting (XSS) even if the cookie has the “HttpOnly” flag set or exposes the user’s Authorization header.
A typical XST attack may begin when an unwary Internet user visits a site hosted by a compromised server. The server sends scripting code to the victim's computer. The victim's computer sends an HTTP TRACE request to some other site recently visited by the victim's computer. The second site then sends cookies or other authentication data to the hacked server, and thereby makes the data available to the attacker.
See also: Cross-site scripting (XSS)