Home > CAPEC List > CAPEC-245: XSS Using Doubled Characters (Version 3.0)  

CAPEC-245: XSS Using Doubled Characters

Attack Pattern ID: 245
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
The attacker bypasses input validation by using doubled characters in order to perform a cross-site scripting attack. Some filters fail to recognize dangerous sequences if they are preceded by repeated characters. For example, by doubling the < before a script command, (<<script or %3C%3script using URI encoding) the filters of some web applications may fail to recognize the presence of a script tag. If the targeted server is vulnerable to this type of bypass, the attacker can create a crafted URL or other trap to cause a victim to view a page on the targeted server where the malicious content is executed, as per a normal XSS attack.
+ Typical Severity

Medium

+ Relationships

The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

+ Relevant to the view "Mechanisms of Attack" (CAPEC-1000)
NatureTypeIDName
ChildOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.588DOM-Based XSS
ChildOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.591Reflected XSS
ChildOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.592Stored XSS
+ Prerequisites
The targeted web application does not fully normalize input before checking for prohibited syntax. In particular, it must fail to recognize prohibited methods preceded by certain sequences of repeated characters.
+ Resources Required
The attacker must trick the victim into following a crafted link to a vulnerable server or view a web post where the dangerous commands are executed.
+ Mitigations
Design: Use libraries and templates that minimize unfiltered input.
Implementation: Normalize, filter and sanitize all user supplied fields.
Implementation: The victim should configure the browser to minimize active content from untrusted sources.
+ References
[REF-99] Matteo Carli. "XSS and CSRF vulnerability on Cpanel". Symantec Connect. SecurityFocus. 2008-05-09. <http://www.securityfocus.com/archive/1/archive/1/491864/100/0/threaded>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-05-01CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Related_Weaknesses
Previous Entry Names
Change DatePrevious Entry Name
2017-05-01Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018