Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The TRACE method is used for debugging applications. When a request is made with this method, it will send the full request with the specified verb and reflect this in the response.

The HTTPOnly cookie flag makes the cookie inaccessible from JavaScript. This is to prevent XSS from causing even worse damage, such as getting auth cookies.

What happens when we put these together? If a request was made with TRACE, then the cookie with the HTTPOnly flag would be sent back in the response, bypassing the protection. As a result, TRACE and TRACK were banned from browser requests. But, this was years ago.

This vulnerability is a variation of the HTTPOnly bypass. Instead of simply making a request via TRACE and TRACK, we can force the verb to change on the server-level. There is a non-standard but common header called X-HTTP-Method-Override.

Using the header will bypass the original security protection and send back the HTTPOnly cookie in the response. Pretty good blast from the past on this one!