A Cross-Site Tracing (XST) attack involves the use of Cross-site Scripting (XSS) and the TRACE or TRACK HTTP methods. According to RFC 2616, “TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information.”, the TRACK method works in the same way but is specific to Microsoft’s IIS web server. XST could be used as a method to steal user’s cookies via Cross-site Scripting (XSS) even if the cookie has the “HttpOnly” flag set and/or exposes the user’s Authorization header.
Example : 127.0.0.1 is aapanel
$ curl -X TRACE -H "Cookie: tetsing=woot123" 127.0.0.1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 105 0 105 0 0 223 0 --:--:-- --:--:-- --:--:-- 223TRACE / HTTP/1.1
Host: 149.28.240.102
User-Agent: curl/7.70.0
Accept: */*
Cookie: tetsing=woot123
Disable Trace/Track in Apache HTTPD :
https://techleader.pro/a/383-Disabling-the-TRACE-method-in-Apache2
Ref : https://owasp.org/www-community/attacks/Cross_Site_Tracing