An attacker distributes a link (or possibly some other query structure)
with a request to a third party web server that is malformed and also
contains a block of exploit code in order to have the exploit become live
code in the resulting error page. When the third party web server receives
the crafted request and notes the error it then creates an error message
that echoes the malformed message, including the exploit. Doing this
converts the exploit portion of the message into to valid language elements
that are executed by the viewing browser. When a victim executes the query
provided by the attacker the infected error message error message is
returned including the exploit code which then runs in the victim's browser.
XSS can result in execution of code as well as data leakage (e.g. session
cookies can be sent to the attacker). This type of attack is especially
dangerous since the exploit appears to come from the third party web server,
who the victim may trust and hence be more vulnerable to deception.
Attack Prerequisites
A third party web server which fails to adequately sanitize messages sent
in error pages.
The victim must be made to execute a query crafted by the attacker which
results in the infected error report.
Resources Required
None
Solutions and Mitigations
Design: Use libraries and templates that minimize unfiltered input.
Implementation: Normalize, filter and white list any input that will be
used in error messages.
Implementation: The victim should configure the browser to minimize active
content from untrusted sources.
Description
