Home > CAPEC List > CAPEC-199: Cross-Site Scripting Using Alternate Syntax (Version 2.6)  

CAPEC-199: Cross-Site Scripting Using Alternate Syntax

 
Cross-Site Scripting Using Alternate Syntax
Definition in a New Window Definition in a New Window
Attack Pattern ID: 199
Abstraction: Standard
Status: Draft
Completeness: Complete
+ Description

Summary

The attacker uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.

Attack Execution Flow

Explore
  1. Survey the application:

    Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the links he finds.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.

    env-Web
    2

    Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.

    env-Web
    3

    Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    URL parameters are used by the application or the browser (DOM)

    env-Web
    2Inconclusive

    Using URL rewriting, parameters may be part of the URL path.

    env-Web
    3Inconclusive

    No parameters appear on the URL. Even though none appear, the web application may still use them if they are provided.

    env-Web
    4Negative

    Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    A list of URLs, with their corresponding parameters is created by the attacker.
    2Success
    A list of application user interface entry fields is created by the attacker.
    3Success
    A list of resources accessed by the application is created by the attacker.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).
    2Detective
    Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.
    3Preventative
    Use CAPTCHA to prevent the use of the application by an automated tool.
    4Preventative
    Actively monitor the application and either deny or redirect requests from origins that appear to be automated.
Experiment
  1. Attempt injection payload variations on input parameters:

    Possibly using an automated tool, an attacker requests variations on the inputs he surveyed before. He sends parameters that include variations of payloads. The payloads are designed to bypass incomplete filtering (e.g., incomplete HTML encoding etc.) and tries many variations of characters injection that would enable the XSS payload. He records all the responses from the server that include unmodified versions of his script.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Use a list of XSS probe strings to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier. Attempt numerous variations based on form, format, syntax & encoding.

    env-Web
    2

    Use a proxy tool to record results of manual input of XSS probes in known URLs.

    env-Web

    Indicators

    IDTypeIndicator DescriptionEnvironments
    1Positive

    The output of pages includes some form of a URL parameter. E.g., ?error="File not Found" becomes "File not Found" in the title of the web page

    env-Web
    2Positive

    User-controllable input is output back to the browser

    env-Web
    3Inconclusive

    Nothing is returned to the web page. The payload may be a stored to be served later. The unique identifier from the probe helps to trace the flow of the possible XSS.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker's script string is being reflected verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, etc.)
    2Failure
    All context-sensitive characters are consistently re-encoded before being sent to the web browser. For example, in a HTML tag element, the payload may not be able to evade the quotes in order to inject another attribute.
    3Inconclusive
    Some sensitive characters are consistently encoded, but others are not

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor input to web servers, application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that adversaries use.
    2Preventative
    Apply appropriate input validation to filter all user-controllable input of scripting syntax
    3Preventative
    Do not embed user-controllable input generated HTTP headers
    4Preventative
    Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
Exploit
  1. Steal session IDs, credentials, page content, etc.:

    As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker.

    env-Web
    2

    Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker gets the user's cookies or other session identifiers.
    2Success
    The attacker gets the content of the page the user is viewing.
    3Success
    The attacker causes the user's browser to visit a page with malicious content.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor server logs for scripting parameters.
    2Detective
    Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
    3Preventative
    Apply appropriate input validation to filter all user-controllable input of scripting syntax
    4Preventative
    Appropriately encode all browser output to avoid scripting syntax
    5Preventative
    Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
  2. Forceful browsing:

    When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site

    env-Web
    2

    Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF.
    2Success
    The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of.

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor server logs for scripting parameters.
    2Detective
    Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
    3Preventative
    Apply appropriate input validation to filter all user-controllable input of scripting syntax
    4Preventative
    Appropriately encode all browser output to avoid scripting syntax
    5Preventative
    Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
  3. Content spoofing:

    By manipulating the content, the attacker targets the information that the user would like to get from the website.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page.

    env-Web

    Outcomes

    IDTypeOutcome Description
    1Success
    The user sees a page containing wrong information

    Security Controls

    IDTypeSecurity Control Description
    1Detective
    Monitor server logs for scripting parameters.
    2Detective
    Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
    3Preventative
    Apply appropriate input validation to filter all user-controllable input of scripting syntax
    4Preventative
    Appropriately encode all browser output to avoid scripting syntax
    5Preventative
    Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.
+ Attack Prerequisites
  • Target client software must allow scripting such as JavaScript.

+ Typical Severity

High

+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
  • Protocol Manipulation
+ Examples-Instances

Description

In this example, the attacker tries to get <script>alert(1)</script> executed by the victim's browser. The target application employs regular expressions to make sure no script is being passed through the application to the web page; such a regular expression could be ((?i)script), and the application would replace all matches by this regex by the empty string. An attacker will then create a special payload to bypass this filter:

(Attack)
 
<scriscriptpt>alert(1)</scscriptript>

when the applications gets this input string, it will replace all "script" (case insensitive) by the empty string and the resulting input will be the desired vector by the attacker:

(Result)
 
<script>alert(1)</script>

In this example, we assume that the application needs to write a particular string in a client-side JavaScript context (e.g., <script>HERE</script>). For the attacker to execute the same payload as in the previous example, he would need to send alert(1) if there was no filtering. The application makes use of the following regular expression as filter

(Mitigation Code)
 
((\w+)\s*\(.*\)|alert|eval|function|document)

and replaces all matches by the empty string. For example each occurrence of alert(), eval(), foo() or even the string "alert" would be stripped. An attacker will then create a special payload to bypass this filter:

(Attack)
 
this['al' + 'ert'](1)

when the applications gets this input string, it won't replace anything and this piece of JavaScript has exactly the same runtime meaning as alert(1). The attacker could also have used non-alphanumeric XSS vectors to bypass the filter; for example,

(Attack)
 
($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)

would be executed by the JavaScript engine like alert(1) is.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To inject the malicious payload in a web page

Skill or Knowledge Level: High

To bypass non trivial filters in the application

+ Resources Required

Ability to send HTTP request to a web application.

+ Solutions and Mitigations

Design: Use browser technologies that do not allow client side scripting.

Design: Utilize strict type, character, and encoding enforcement

Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.

Implementation: Ensure all content coming from the client is using the same encoding; if not, the server-side application must canonicalize the data before applying any filtering.

Implementation: Perform input validation for all remote content, including remote and user-generated content

Implementation: Perform output validation for all remote content.

Implementation: Disable scripting languages such as JavaScript in browser

Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Integrity
Modify files or directories
Confidentiality
Read files or directories
Integrity
Modify application data
Confidentiality
Read application data
Authorization
Execute unauthorized code or commands
Run Arbitrary Code
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume identity
Access_Control
Authorization
Bypass protection mechanism
+ Injection Vector

Any HTTP Request transport variables (GET, POST, Headers, etc.)

+ Payload

XSS malicious script formed in non-traditional syntax

+ Activation Zone

Client web browser where script is executed

+ Payload Activation Impact

Description

Client web browser may be used to steal session data, passwords, cookies, and other tokens.

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Low
+ Technical Context
Architectural Paradigms
Client-Server
n-Tier
Frameworks
All
Platforms
All
Languages
All
+ References
[R.199.1] [REF-9] "OWASP Cheatsheets". XSS Filter Evasion Cheat Sheet. The Open Web Application Security Project (OWASP). <https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet>.
[R.199.2] [REF-4] "OWASP Testing Guide". Testing for Cross site scripting. v2. The Open Web Application Security Project (OWASP). <http://www.owasp.org/index.php/Testing_for_Cross_site_scripting>.
[R.199.3] "Non-alphanumeric XSS cheat sheet". <http://sla.ckers.org/forum/read.php?24,28687>.
[R.199.4] [REF-1] "WASC Threat Classification 2.0". WASC-08 - Cross Site Scripting. The Web Application Security Consortium (WASC). 2010. <http://projects.webappsec.org/Cross-Site+Scripting>.
+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

Page Last Updated: July 23, 2014