Cross-Site Tracing was possible via non-standard override headers [CVE-2022-45411]
Cross-Site Tracing is a vulnerability I didn’t think I’d be hearing about again, yet here we are.
If you’re not familiar with Cross-Site Tracing, it is an old technique to expose httpOnly
cookies to be read by JavaScript. TRACE
is an HTTP verb that is bodyless (like GET
) and the response body should just echo the received headers back. It is allowed to do some modification to hide sensitive data from the response but in practice that rarely happens. So sending a TRACE
was a way to access the cookies that you otherwise couldn’t read form JavaScript.
Firefox and other browsers already forbid certain HTTP verbs from being used in all situations, TRACE
is one of those verbs. However some servers support non-standard headers that will override the verb of the request, potentially transforming a “safe” GET
request that is allowed by the browser into a TRACE
request. Mozilla products have started blocking the use of x-http-method-override
, x-http-method
, and x-method-override
with a value that could be interpreted as TRACE
(or other forbidden verbs).