Cross-Site Tracing was possible via non-standard override headers [CVE-2022-45411]

We discussed this vulnerability during Episode 169 on 21 November 2022

Cross-Site Tracing is a vulnerability I didn’t think I’d be hearing about again, yet here we are.

If you’re not familiar with Cross-Site Tracing, it is an old technique to expose httpOnly cookies to be read by JavaScript. TRACE is an HTTP verb that is bodyless (like GET) and the response body should just echo the received headers back. It is allowed to do some modification to hide sensitive data from the response but in practice that rarely happens. So sending a TRACE was a way to access the cookies that you otherwise couldn’t read form JavaScript.

Firefox and other browsers already forbid certain HTTP verbs from being used in all situations, TRACE is one of those verbs. However some servers support non-standard headers that will override the verb of the request, potentially transforming a “safe” GET request that is allowed by the browser into a TRACE request. Mozilla products have started blocking the use of x-http-method-override, x-http-method, and x-method-override with a value that could be interpreted as TRACE (or other forbidden verbs).