Cross Site Tracing (XST) enables an attacker to steal the victim's session
						cookie and possibly other authentication credentials transmitted in the
						header of the HTTP request when the victim's browser communicates to
						destination system's web server. The attacker first gets a malicious script
						to run in the victim's browser that induces the browser to initiate an HTTP
						TRACE request to the web server. If the destination web server allows HTTP
						TRACE requests, it will proceed to return a response to the victim's web
						browser that contains the original HTTP request in its body. The function of
						HTTP TRACE, as defined by the HTTP specification, is to echo the request
						that the web server receives from the client back to the client. Since the
						HTTP header of the original request had the victim's session cookie in it,
						that session cookie can now be picked off the HTTP TRACE response and sent
						to the attacker's malicious site. XST becomes relevant when direct access to
						the session cookie via the "document.cookie" object is disabled with the use
						of httpOnly attribute which ensures that the cookie can be transmitted in
						HTTP requests but cannot be accessed in other ways. Using SSL does not
						protect against XST.