Home > CAPEC List > CAPEC-245: Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript (Version 2.5)  

CAPEC-245: Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript

 
Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript
Definition in a New Window Definition in a New Window
Attack Pattern ID: 245
Abstraction: Detailed
Status: Draft
Completeness: Stub
+ Description

Summary

The attacker bypasses input validation by using doubled characters in order to perform a cross-site scripting attack. Some filters fail to recognize dangerous sequences if they are preceded by repeated characters. For example, by doubling the < before a script command, (<<script or %3C%3script using URI encoding) the filters of some web applications may fail to recognize the presence of a script tag. If the targeted server is vulnerable to this type of bypass, the attacker can create a crafted URL or other trap to cause a victim to view a page on the targeted server where the malicious content is executed, as per a normal XSS attack.

+ Attack Prerequisites
  • The targeted web application does not fully normalize input before checking for prohibited syntax. In particular, it must fail to recognize prohibited methods preceded by certain sequences of repeated characters.

+ Typical Severity

Medium

+ Resources Required

The attacker must trick the victim into following a crafted link to a vulnerable server or view a web post where the dangerous commands are executed.

+ Solutions and Mitigations

Design: Use libraries and templates that minimize unfiltered input.

Implementation: Normalize, filter and sanitize all user supplied fields.

Implementation: The victim should configure the browser to minimize active content from untrusted sources.

+ References
[R.245.1] Matteo Carli. "XSS and CSRF vulnerability on Cpanel". Symantec Connect. SecurityFocus. May 9, 2008. <http://www.securityfocus.com/archive/1/archive/1/491864/100/0/threaded>.

Page Last Updated: May 07, 2014