Home > CAPEC List > CAPEC-198: XSS Targeting Error Pages (Version 2.11)  

CAPEC-198: XSS Targeting Error Pages

XSS Targeting Error Pages
Definition in a New Window Definition in a New Window
Attack Pattern ID: 198
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An adversary distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page. When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the attacker the infected error message error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception.

+ Attack Prerequisites
  • A third party web server which fails to adequately sanitize messages sent in error pages.

  • The victim must be made to execute a query crafted by the attacker which results in the infected error report.

+ Typical Severity


+ Resources Required

None: No specialized resources are required to execute this type of attack.

+ Solutions and Mitigations

Design: Use libraries and templates that minimize unfiltered input.

Implementation: Normalize, filter and white list any input that will be used in error messages.

Implementation: The victim should configure the browser to minimize active content from untrusted sources.

+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated Description Summary, Related_Attack_Patterns, Related_WeaknessesInternal
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Resources_RequiredInternal
Previous Entry Names
DatePrevious Entry Name
2017-05-01Cross-Site Scripting in Error Pages

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017