Home > CAPEC List > CAPEC-245: XSS Using Doubled Characters (Version 2.10)  

CAPEC-245: XSS Using Doubled Characters

XSS Using Doubled Characters
Definition in a New Window Definition in a New Window
Attack Pattern ID: 245
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

The attacker bypasses input validation by using doubled characters in order to perform a cross-site scripting attack. Some filters fail to recognize dangerous sequences if they are preceded by repeated characters. For example, by doubling the < before a script command, (<<script or %3C%3script using URI encoding) the filters of some web applications may fail to recognize the presence of a script tag. If the targeted server is vulnerable to this type of bypass, the attacker can create a crafted URL or other trap to cause a victim to view a page on the targeted server where the malicious content is executed, as per a normal XSS attack.

+ Attack Prerequisites
  • The targeted web application does not fully normalize input before checking for prohibited syntax. In particular, it must fail to recognize prohibited methods preceded by certain sequences of repeated characters.

+ Typical Severity


+ Resources Required

The attacker must trick the victim into following a crafted link to a vulnerable server or view a web post where the dangerous commands are executed.

+ Solutions and Mitigations

Design: Use libraries and templates that minimize unfiltered input.

Implementation: Normalize, filter and sanitize all user supplied fields.

Implementation: The victim should configure the browser to minimize active content from untrusted sources.

+ References
[R.245.1] Matteo Carli. "XSS and CSRF vulnerability on Cpanel". Symantec Connect. SecurityFocus. May 9, 2008. <http://www.securityfocus.com/archive/1/archive/1/491864/100/0/threaded>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated Related_Attack_Patterns, Related_WeaknessesInternal
Previous Entry Names
DatePrevious Entry Name
2017-05-01Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript

More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017