TRACE requests via XMLHTTPRequest.

I was looking over some of Mozilla’s XMLHTTPRequest code, and noticed this snippet at nsXMLHttpRequest.cpp:915

// Disallow HTTP/1.1 TRACE method (see bug 302489)
// and MS IIS equivalent TRACK (see bug 381264)
if (method.LowerCaseEqualsASCII("trace") ||
    method.LowerCaseEqualsASCII("track")) {
  return NS_ERROR_INVALID_ARG;
}

Which lead me to do:

var xhr = new XMLHttpRequest();
xhr.open('%trace', '/',false);
xhr.send('');
alert(xhr.responseText);

When I was testing I was using Paros proxy and strangely enough the request worked. Turns out Paros drops the % and sends it along. Does anyone know of any other proxies that behave similarly?

You can test it out here: method_bypass.html

Update: Depending on the logging level, Squid (and possibly others) will display all header information on some errors. The above request will be treated as an invalid request and as such will echo back everything.

Leave a Reply

Your email address will not be published. Required fields are marked *