Full Report
The TRACE method is used for debugging applications. When a request is made with this method, it will send the full request with the specified verb and reflect this in the response. The HTTPOnly cookie flag makes the cookie inaccessible from JavaScript. This is to prevent XSS from causing even worse damage, such as getting auth cookies. What happens when we put these together? If a request was made with TRACE, then the cookie with the HTTPOnly flag would be sent back in the response, bypassing the protection. As a result, TRACE and TRACK were banned from browser requests. But, this was years ago. This vulnerability is a variation of the HTTPOnly bypass. Instead of simply making a request via TRACE and TRACK, we can force the verb to change on the server-level. There is a non-standard but common header called X-HTTP-Method-Override. Using the header will bypass the original security protection and send back the HTTPOnly cookie in the response. Pretty good blast from the past on this one!
Analysis Summary
# Vulnerability: Cross-Site Tracing (XST) via Method Override Headers in Firefox
## CVE Details
- **CVE ID:** CVE-2022-45411
- **CVSS Score:** 6.5 (Moderate/Medium) - *Estimated based on Mozilla "Moderate" rating*
- **CWE:** CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
## Affected Systems
- **Products:** Mozilla Firefox
- **Versions:** Versions prior to Firefox 107
- **Configurations:** Web environments where servers support non-standard override headers (e.g., `X-HTTP-Method-Override`).
## Vulnerability Description
This vulnerability is a modern variation of **Cross-Site Tracing (XST)**. Traditionally, browsers block the `TRACE` and `TRACK` HTTP methods in `fetch()` and `XMLHttpRequest` to prevent scripts from reading reflected `HTTPOnly` cookies or authorization headers.
However, many modern web servers support the non-standard `X-HTTP-Method-Override` header. This flaw allowed an attacker to bypass browser-level method restrictions by sending a standard request (like POST) containing the override header. The browser would permit the request, but the server would treat it as a `TRACE` request, reflecting the full HTTP request—including `HTTPOnly` cookies—back into the response body where it could be read by malicious JavaScript.
## Exploitation
- **Status:** PoC available (Technique is well-documented; specific bypass identified by researcher "scarlet")
- **Complexity:** Medium
- **Attack Vector:** Network (Web-based/Remote)
## Impact
- **Confidentiality:** High (Allows access to `HTTPOnly` session cookies and sensitive auth headers)
- **Integrity:** None
- **Availability:** None
## Remediation
### Patches
- **Firefox 107:** This version includes a fix that restricts the use of sensitive method-override headers in web requests. Users should update to Firefox 107 or later.
### Workarounds
- **Server-Side Mitigation:** Disable support for the `TRACE` method on the web server (e.g., `TraceEnable off` in Apache).
- **Header Filtering:** Configure Reverse Proxies or Web Application Firewalls (WAFs) to strip `X-HTTP-Method-Override`, `X-HTTP-Method`, and `X-Method-Override` headers if they are not required for legitimate business logic.
## Detection
- **Indicators of Compromise:** Unusual `TRACE` requests appearing in server logs originating from browser clients.
- **Detection Methods:** Monitor for the presence of `X-HTTP-Method-Override` headers in incoming traffic, especially when paired with cross-origin requests.
## References
- **Mozilla Foundation Security Advisory 2022-47:** [https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/](https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/)
- **Bugzilla Entry:** [https://bugzilla.mozilla.org/show_bug.cgi?id=1793829](https://bugzilla.mozilla.org/show_bug.cgi?id=1793829)
- **CWE-200 Information:** [https://cwe.mitre.org/data/definitions/200.html](https://cwe.mitre.org/data/definitions/200.html)