| Attack Pattern ID | Pattern Abstraction: Standard 18 |
| Typical Severity | Very High |
| Description | Summary
This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements.
As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack.
|
| Attack Prerequisites |
Target client software must be a client that allows script execution based on scripts generated by remote hosts.
|
| Typical Likelihood of Exploit |
High
|
| Methods of Attack | |
| Examples-Instances | Description
In this example, the attacker adds script to HTML tags other than <script> tags, when the victim's standard content is appended with a malicious script. For example a link to http://myfavoritewebsite/getMyHomePage/content?malciousscript.js
The victim clicks on the link, which directs them to their home page (so that the victim does not notice anything is amiss) and simultaneously executes a script on their machine.
|
| Attacker Skill or Knowledge Required |
Low → To achieve a redirection and use of less trusted source, an attacker can simply edit content such as XML payload or HTML files that are sent to client machine.
High → Exploiting a client side vulnerability to inject malicious scripts into the browser’s executable process.
|
| Resources Required |
Ability to include malicious script in document, e.g. HTML file, or XML document. Ability to deploy a custom hostile service for access by targeted clients. Ability to communicate synchronously or asynchronously with client machine
|
| Solutions and Mitigations |
Design: Use browser technologies that do not allow client side scripting.
Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.
Implementation: Perform input validation for all remote content.
Implementation: Perform output validation for all remote content.
Implementation: Disable scripting languages such as Javascript in browser
Implementation: Session tokens for specific host
Implementation: Service provider should not use the XMLHttpRequest method to create a local proxy for content from other sites, because the client will not be able to discern what content comes from which host.
|
| Attack Motivation-Consequences | - Run Arbitrary Code
- Information Leakage
|
| Context Description |
“Attack Pattern: Embedding Script in Nonscript Elements
Script does not need to be inserted between <script> tags. Instead, script can appear as part of another HTML tag, such as the image tag. The injection vector is
<img src = javascript:alert(document.domain)>
[Hoglund and McGraw 04]
|
| Injection Vector |
Malicious input delivered through standard document formats, e.g. XML document or HTML file to the client.
|
| Payload |
Varies with instantiation of attack pattern. In the case of HTML files they may not be visible to the end user via a browser.
|
| Activation Zone |
Client software and its component libraries
|
| Payload Activation Impact |
Enables attacker to execute scripts to launch attacks on remote client machine and environment
|
| Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 80 | Failure to Sanitize Script-Related HTML Tags in a Web Page (Basic XSS) | Targeted | | 83 | Failure to Sanitize Script in Attributes in a Web Page | Targeted | | 84 | Failure to Resolve Encoded URI Schemes in a Web Page | Secondary | | 82 | Failure to Sanitize Script in Attributes of IMG Tags in a Web Page | Targeted | | 348 | Use of Less Trusted Source | Targeted | | 96 | Insufficient Control of Directives in Statically Saved Code (Static Code Injection) | Targeted | | 20 | Insufficient Input Validation | Targeted | | 116 | Incorrect Output Sanitization | Targeted | | 184 | Incomplete Blacklist | Secondary | | 86 | Invalid Characters in Identifiers | Secondary | | 350 | Improperly Trusted Reverse DNS | Targeted |
|
| Purpose | Penetration |
| CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| Medium | Medium | Low |
|
| Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
|
| References |
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.
|
| Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-01-01 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Gunnar Peterson | Cigital, Inc | 2007-02-28 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | | Sean Barnum | Cigital, Inc | 2007-03-09 | Review and revise | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Name and Description | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |
|
