The attacker uses alternate forms of keywords or commands that result in
the same action as the primary form but which may not be caught by filters.
For example, many keywords are processed in a case insensitive manner. If
the site's web filtering algorithm does not convert all tags into a
consistent case before the comparison with forbidden keywords it is possible
to bypass filters (e.g., incomplete black lists) by using an alternate case
structure. For example, the "script" tag using the alternate forms of
"Script" or "ScRiPt" may bypass filters where "script" is the only form
tested. Other variants using different syntax representations are also
possible as well as using pollution meta-characters or entities that are
eventually ignored by the rendering engine. The attack can result in the
execution of otherwise prohibited functionality.
Attack Execution Flow
Explore
Survey the
application::
Using a browser or an automated tool, an attacker
follows all public links on a web site. He records
all the links he finds.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use a spidering tool to follow and record
all links. Make special note of any links that
include parameters in the URL.
env-Web
2
Use a proxy tool to record all links visited
during a manual traversal of the web application.
Make special note of any links that include
parameters in the URL. Manual traversal of this
type is frequently necessary to identify forms
that are GET method forms rather than POST
forms.
env-Web
3
Use a browser to manually explore the
website and analyze how it is constructed. Many
browser's plugins are available to facilitate the
analysis or automate the URL discovery.
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
URL parameters are used by the application
or the browser (DOM)
env-Web
2
Inconclusive
Using URL rewriting, parameters may be part
of the URL path.
env-Web
3
Inconclusive
No parameters appear on the URL. Even though
none appear, the web application may still use
them if they are provided.
env-Web
4
Negative
Applications that have only static pages or
that simply present information without accepting
input are unlikely to be susceptible.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
A list of URLs, with their
corresponding parameters is created by the
attacker.
2
Success
A list of application user
interface entry fields is created by the
attacker.
3
Success
A list of resources accessed by
the application is created by the
attacker.
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor velocity of
page fetching in web logs. Humans who view a page
and select a link from it will click far slower
and far less regularly than tools. Tools make
requests very quickly and the requests are
typically spaced apart regularly (e.g. 0.8 seconds
between them).
2
Detective
Create links on some
pages that are visually hidden from web browsers.
Using IFRAMES, images, or other HTML techniques,
the links can be hidden from web browsing humans,
but visible to spiders and programs. A request for
the page, then, becomes a good predictor of an
automated tool probing the
application.
3
Preventative
Use CAPTCHA to prevent
the use of the application by an automated
tool.
4
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be
automated.
Experiment
Attempt injection payload variations on
input parameters::
Possibly using an automated tool, an attacker
requests variations on the inputs he surveyed
before. He sends parameters that include variations
of payloads. The payloads are designed to bypass
incomplete filtering (e.g., incomplete HTML encoding
etc.) and tries many variations of characters
injection that would enable the XSS payload. He
records all the responses from the server that
include unmodified versions of his script.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use a list of XSS probe strings to inject in
parameters of known URLs. If possible, the probe
strings contain a unique identifier. Attempt
numerous variations based on form, format, syntax
& encoding.
env-Web
2
Use a proxy tool to record results of manual
input of XSS probes in known URLs.
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
The output of pages includes some form of a
URL parameter. E.g., ?error="File not Found"
becomes "File not Found" in the title of the web
page
env-Web
2
Positive
User-controllable input is output back to
the browser
env-Web
3
Inconclusive
Nothing is returned to the web page. The
payload may be a stored to be served later. The
unique identifier from the probe helps to trace
the flow of the possible XSS.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
The attacker's script string is
being reflected verbatim at some point in the web
site (if not on the same page). Note that
sometimes, the payload might be well encoded in
the page, but wouldn't be encoded at all in some
other section of the same web page (title,
etc.)
2
Failure
All context-sensitive
characters are consistently re-encoded before
being sent to the web browser. For example, in a
HTML tag element, the payload may not be able to
evade the quotes in order to inject another
attribute.
3
Inconclusive
Some sensitive characters are
consistently encoded, but others are
not
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor input to web
servers, application servers, and other HTTP
infrastructure (e.g., load balancers). Alert on
standard XSS probes. The majority of attackers use
well known strings to check for vulnerabilities.
Use the same vulnerability catalogs that hackers
use.
2
Preventative
Apply appropriate
input validation to filter all user-controllable
input of scripting
syntax
3
Preventative
Do not embed
user-controllable input generated HTTP
headers
4
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be generating XSS
probes.
As the attacker succeeds in exploiting the
vulnerability, he can choose to steal user's
credentials in order to reuse or to analyze them
later on.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Develop malicious JavaScript that is
injected through vectors identified during the
Experiment Phase and loaded by the victim's
browser and sends document information to the
attacker.
env-Web
2
Develop malicious JavaScript that injected
through vectors identified during the Experiment
Phase and takes commands from an attacker's server
and then causes the browser to execute
appropriately.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
The attacker gets the user's
cookies or other session
identifiers.
2
Success
The attacker gets the content
of the page the user is
viewing.
3
Success
The attacker causes the user's
browser to visit a page with malicious
content.
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor server logs
for scripting
parameters.
2
Detective
Monitor server logs
for referrers. If users are being tricked into
clicking XSS links through forums or other web
postings, their web browsers will be providing
Referrer headers most of the time. These can help
indicate that the actual request is
illegitimate.
3
Preventative
Apply appropriate
input validation to filter all user-controllable
input of scripting
syntax
4
Preventative
Appropriately encode
all browser output to avoid scripting
syntax
5
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be generating XSS
probes.
Forceful browsing::
When the attacker targets the current application
or another one (through CSRF vulnerabilities), the
user will then be the one who perform the attacks
without being aware of it. These attacks are mostly
targeting application logic flaws, but it can also
be used to create a widespread attack against a
particular website on the user's current network
(Internet or not).
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Develop malicious JavaScript that is
injected through vectors identified during the
Experiment Phase and loaded by the victim's
browser and performs actions on the same web
site
env-Web
2
Develop malicious JavaScript that injected
through vectors identified during the Experiment
Phase and takes commands from an attacker's server
and then causes the browser to execute request to
other web sites (especially the web applications
that have CSRF vulnerabilities).
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
The attacker indirectly
controls the user's browser and makes it
performing actions exploiting
CSRF.
2
Success
The attacker manipulates the
browser through the steps that he designed in his
attack. The user, identified on a website, is now
performing actions he is not aware
of.
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor server logs
for scripting
parameters.
2
Detective
Monitor server logs
for referrers. If users are being tricked into
clicking XSS links through forums or other web
postings, their web browsers will be providing
Referrer headers most of the time. These can help
indicate that the actual request is
illegitimate.
3
Preventative
Apply appropriate
input validation to filter all user-controllable
input of scripting
syntax
4
Preventative
Appropriately encode
all browser output to avoid scripting
syntax
5
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be generating XSS
probes.
Content spoofing::
By manipulating the content, the attacker targets
the information that the user would like to get from
the website.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Develop malicious JavaScript that is
injected through vectors identified during the
Experiment Phase and loaded by the victim's
browser and exposes attacker-modified invalid
information to the user on the current web
page.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
The user sees a page containing
wrong information
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor server logs
for scripting
parameters.
2
Detective
Monitor server logs
for referrers. If users are being tricked into
clicking XSS links through forums or other web
postings, their web browsers will be providing
Referrer headers most of the time. These can help
indicate that the actual request is
illegitimate.
3
Preventative
Apply appropriate
input validation to filter all user-controllable
input of scripting
syntax
4
Preventative
Appropriately encode
all browser output to avoid scripting
syntax
5
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be generating XSS
probes.
Attack Prerequisites
Target client software must allow scripting such as JavaScript.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Protocol Manipulation
Examples-Instances
Description
In this example, the attacker tries to get
<script>alert(1)</script> executed by the victim’s browser.
The target application employs regular expressions to make sure no
script is being passed through the application to the web page; such a
regular expression could be ((?i)script), and the application would
replace all matches by this regexp by the empty string. An attacker will
then create a special payload to by pass this filter:
<scriscriptpt>alert(1)</scscriptript> when the applications
gets this input string, it will replace all “script” (case insensitive)
by the empty string and the resulting input will be the desired vector
by the attacker: <script>alert(1)</script> In this example,
we assume that the application needs to write a particular string in a
client-side JavaScript context (e.g.,
<script>HERE</script>). For the attacker to execute the same
payload as in the previous example, he would need to send alert(1) if
there was no filtering. The application makes use of the following
regular expression as filter
((\w+)\s*\(.*\)|alert|eval|function|document) and replaces all matches
by the empty string. For example each occurrence of alert(), eval(),
foo() or even the string “alert” would be stripped. An attacker will
then create a special payload to bypass this filter: this['al' +
'ert'](1) when the applications gets this input string, it won’t replace
anything and this piece of JavaScript has exactly the same runtime
meaning as alert(1). The attacker could also have used non-alphanumeric
XSS vectors to bypass the filter; for example,
($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)
would be executed by the JavaScript engine like alert(1) is.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
To inject the malicious payload in a web page
Skill or Knowledge Level: High
To bypass non trivial filters in the application
Resources Required
Ability to send HTTP request to a web application.
Solutions and Mitigations
Design: Use browser technologies that do not allow client side
scripting.
Design: Utilize strict type, character, and encoding enforcement
Implementation: Ensure all content that is delivered to client is
sanitized against an acceptable content specification.
Implementation: Ensure all content coming from the client is using the
same encoding; if not, the server-side application must canonicalize the
data before applying any filtering.
Implementation: Perform input validation for all remote content, including
remote and user-generated content
Implementation: Perform output validation for all remote content.
Implementation: Disable scripting languages such as JavaScript in
browser
Implementation: Patching software. There are many attack vectors for XSS
on the client side and the server side. Many vulnerabilities are fixed in
service packs for browser, web servers, and plug in technologies, staying
current on patch release that deal with XSS countermeasures mitigates
this.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Integrity
Modify files or
directories
Confidentiality
Read files or
directories
Integrity
Modify application
data
Confidentiality
Read application
data
Authorization
Execute unauthorized code or
commands
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume
identity
Access_Control
Authorization
Bypass protection
mechanism
Injection Vector
Any HTTP Request transport variables (GET, POST, Headers, etc.)
Payload
XSS malicious script formed in non-traditional syntax
Activation Zone
Client web browser where script is executed
Payload Activation Impact
Description
Client web browser may be used to steal session data, passwords, cookies,
and other tokens.
Description
