Amit Klein has written a new article entitled "XST Strikes Back (or perhaps "Return from the Proxy"...)". Whatever the final title may be it outlines how XST vulnerabilities can still exist when a proxy server is in front of the server that an attacker is wishing to launch the attack against.

"About three years ago, the concept of "Cross Site Tracing" [1] was introduced to the web application security community. In essence, the classic XST is about amplifying an existing XSS vulnerability such that HttpOnly cookies and HTTP authentication credentials can be compromised. This is done using a client side XmlHttpRequest object that sends a TRACE request back to the server, receives the request echoed back by the server's TRACE function, and extracts the information from the echoed back request. The recommendation in [1] is to turn off TRACE support in the web server, which indeed takes care of the attack as described.

However, let us now consider a situation wherein there is a proxy server somewhere between the client (browser) and the server. In such case, it is possible to force the proxy server (at least, in theory) to respond to the TRACE request, rather than the origin server itself. Thus, HTTP TRACE can still be used to compromise the credentials of the user, even if the server does not support the TRACE request. " - Amit

Article Link: http://www.cgisecurity.com/lib/xst-strikes-back.shtml