Home > CAPEC List > CAPEC-247: Cross-Site Scripting with Masking through Invalid Characters in Identifiers (Release 2.0)  

CAPEC-247: Cross-Site Scripting with Masking through Invalid Characters in Identifiers

 
Cross-Site Scripting with Masking through Invalid Characters in Identifiers
Attack Pattern ID: 247 (Detailed Attack Pattern Completeness: Stub)Typical Severity: MediumStatus: Draft
+ Description

Summary

The attacker inserts invalid characters in identifiers to bypass application filtering of input. Filters may not scan beyond invalid characters but during later stages of processing content that follows these invalid characters may still be processed. This allows the attacker to sneak prohibited commands past filters and perform normally prohibited operations. Invalid characters may include null, carriage return, line feed or tab in an identifier. Successful bypassing of the filter can result in a XSS attack, resulting in the disclosure of web cookies or possibly other results.

+ Attack Prerequisites

    The target must fail to remove invalid characters from input and fail to adequately scan beyond these characters.

+ Resources Required

No special resources are required.

+ Solutions and Mitigations

Design: Use libraries and templates that minimize unfiltered input.

Implementation: Normalize, filter and white list any input that will be included in any subsequent web pages or back end operations.

Implementation: The victim should configure the browser to minimize active content from untrusted sources.

Back to top
Page Last Updated: May 18, 2012
 

CAPEC is co-sponsored by the office of Cybersecurity and Communications at the U.S. Department of Homeland Security.

This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2007 - 2013, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation. Contact capec@mitre.org for more information.
Privacy policy
Terms of use
Contact us