Home > CAPEC List > CAPEC-198: XSS Targeting Error Pages (Version 3.0)  

CAPEC-198: XSS Targeting Error Pages

Attack Pattern ID: 198
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
An adversary distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page. When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the attacker the infected error message error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception.
+ Typical Severity

Medium

+ Relationships

The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

+ Relevant to the view "Mechanisms of Attack" (CAPEC-1000)
NatureTypeIDName
ChildOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.588DOM-Based XSS
ChildOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.591Reflected XSS
ChildOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.592Stored XSS
+ Prerequisites
A third party web server which fails to adequately sanitize messages sent in error pages.
The victim must be made to execute a query crafted by the attacker which results in the infected error report.
+ Resources Required
None: No specialized resources are required to execute this type of attack.
+ Mitigations
Design: Use libraries and templates that minimize unfiltered input.
Implementation: Normalize, filter and white list any input that will be used in error messages.
Implementation: The victim should configure the browser to minimize active content from untrusted sources.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-05-01CAPEC Content TeamThe MITRE Corporation
Updated Description Summary, Related_Attack_Patterns, Related_Weaknesses
2017-08-04CAPEC Content TeamThe MITRE Corporation
Updated Resources_Required
Previous Entry Names
Change DatePrevious Entry Name
2017-05-01Cross-Site Scripting in Error Pages

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018