Home > CAPEC List > CAPEC-247: XSS Using Invalid Characters (Version 2.11)  

CAPEC-247: XSS Using Invalid Characters

 
XSS Using Invalid Characters
Definition in a New Window Definition in a New Window
Attack Pattern ID: 247
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An adversary inserts invalid characters in identifiers to bypass application filtering of input. Filters may not scan beyond invalid characters but during later stages of processing content that follows these invalid characters may still be processed. This allows the attacker to sneak prohibited commands past filters and perform normally prohibited operations. Invalid characters may include null, carriage return, line feed or tab in an identifier. Successful bypassing of the filter can result in a XSS attack, resulting in the disclosure of web cookies or possibly other results.

+ Attack Prerequisites
  • The target must fail to remove invalid characters from input and fail to adequately scan beyond these characters.

+ Typical Severity

Medium

+ Resources Required

None: No specialized resources are required to execute this type of attack.

+ Solutions and Mitigations

Design: Use libraries and templates that minimize unfiltered input.

Implementation: Normalize, filter and white list any input that will be included in any subsequent web pages or back end operations.

Implementation: The victim should configure the browser to minimize active content from untrusted sources.

+ Content History
Submissions
SubmitterOrganizationDateSource
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
Modifications
ModifierOrganizationDateCommentsSource
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated Description Summary, Related_Attack_Patterns, Related_WeaknessesInternal
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Resources_RequiredInternal
Previous Entry Names
DatePrevious Entry Name
2017-05-01Cross-Site Scripting with Masking through Invalid Characters in Identifiers

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2017