XST uses the HTTP TRACE method combined with XSS to steal cookies, bypassing HttpOnly restrictions.
Defense: disable HTTP TRACE method on web servers. HttpOnly flag alone doesn't protect against XST. An often-overlooked web vulnerability — disable TRACE in Apache/Nginx config.