Home > CAPEC List > CAPEC-18: XSS Targeting Non-Script Elements (Version 2.11)  

CAPEC-18: XSS Targeting Non-Script Elements

 
XSS Targeting Non-Script Elements
Definition in a New Window Definition in a New Window
Attack Pattern ID: 18
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements.

As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack.

+ Attack Steps
Explore
  1. Spider: Using a browser or an automated tool, an attacker records all entry points for inputs that happen to be reflected in a client-side non-script element. These non-script elements can be located in the HTML content (head, body, comments), in an HTML tag, XML, CSS, etc.

    Use a spidering tool to follow and record all non-static links that are likely to have input parameters (through forms, URL, fragments, etc.) actively used by the Web application.

    Use a proxy tool to record all links visited during a manual traversal of the web application.

    Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment
  1. Probe identified potential entry points for XSS vulnerability: The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.

    Manually inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side non-script elements context and observe system behavior to determine if script was executed. Since these probes may have to be injected in many different types of non-script elements, they should cover a variety of possible contexts (CSS, HTML tag, XML, etc.).

    Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side non-script elements context and observe system behavior to determine if script was executed. Since these probes may have to be injected in many different types of non-script elements, they should cover a variety of possible contexts (CSS, HTML tag, XML, etc.).

    Use a proxy tool to record results of the created requests.

Exploit
  1. Steal session IDs, credentials, page content, etc.: As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on.

    Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker.

    Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately.

  2. Forceful browsing: When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).

    Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site

    Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).

  3. Content spoofing: By manipulating the content, the attacker targets the information that the user would like to get from the website.

    Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page.

+ Attack Prerequisites
  • The target client software must allow the execution of scripts generated by remote hosts.

+ Typical Severity

Very High

+ Typical Likelihood of Exploit

Likelihood: High

Techniques for discovery of XSS as well as tools and means to exploit them are fairly widely available and understood

+ Methods of Attack
  • Injection
  • API Abuse
+ Examples-Instances

Description

An online discussion forum allows its members to post HTML-enabled messages, which can also include image tags. A malicious user embeds JavaScript in the IMG tags in his messages that gets executed within the victim's browser whenever the victim reads these messages.

(Attack)
 
<img src=javascript:alert('XSS')>

When executed within the victim's browser, the malicious script could accomplish a number of adversary objectives including stealing sensitive information such as usernames, passwords, or cookies.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To achieve a redirection and use of less trusted source, an adversary can simply edit content such as XML payload or HTML files that are sent to client machine.

Skill or Knowledge Level: High

Exploiting a client side vulnerability to inject malicious scripts into the browser's executable process.

+ Resources Required

Ability to include malicious script in document, e.g. HTML file, or XML document. Ability to deploy a custom hostile service for access by targeted clients. Ability to communicate synchronously or asynchronously with client machine

+ Solutions and Mitigations

In addition to the traditional input fields, all other user controllable inputs, such as image tags within messages or the likes, must also be subjected to input validation. Such validation should ensure that content that can be potentially interpreted as script by the browser is appropriately filtered.

All output displayed to clients must be properly escaped. Escaping ensures that the browser interprets special scripting characters literally and not as script to be executed.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
Run Arbitrary Code
Confidentiality
Read application data
+ Injection Vector

Malicious input delivered through standard document formats, e.g. XML document or HTML file to the client.

+ Payload

Varies with instantiation of attack pattern. In the case of HTML files they may not be visible to the end user via a browser.

+ Activation Zone

Client software and its component libraries

+ Payload Activation Impact

Enables attacker to execute scripts to launch attacks on remote client machine and environment

+ Purposes
  • Penetration
+ CIA Impact
Confidentiality Impact: MediumIntegrity Impact: MediumAvailability Impact: Low
+ Technical Context
Architectural Paradigms
All
Frameworks
All
Platforms
All
Languages
All
+ References
[R.18.1] [REF-2] G. Hoglund and G. McGraw. "Exploiting Software: How to Break Code". Addison-Wesley. February 2004.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2017-01-09Updated Related_Attack_PatternsInternal
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Examples-Instances, Related_Attack_Patterns, Related_Vulnerabilities, Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_ExploitInternal
Previous Entry Names
DatePrevious Entry Name
2017-05-01Embedding Scripts in Non-Script Elements

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017