http://isc.incidents.org/analysis.html?id=179

It is basically a twist on cross site scripting...



> nc localhost 80
TRACE / HTTP/1.0
X-Header: test

(don't forget the empty line at the end)

The response will be:
HTTP/1.1 200 OK
.... (various server headers) ...
Content-Type: message/http

TRACE / HTTP/1.0
X-Header: test

The important part is that the entire request (including the dummy X-Header)
is echoed back.

There is also a snort signature in the article to detect this method being used and it applies to both apache and IIS...

/nebulus