| Attack Pattern ID | Pattern Abstraction: Standard 73 |
| Typical Severity | High |
| Description | Summary
An attack of this type involves an attacker inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
|
| Attack Prerequisites |
The victim must trust the name and locale of user controlled filenames.
|
| Typical Likelihood of Exploit |
High
|
| Methods of Attack | - Modification of Resources
|
| Examples-Instances | Description
Phishing attacks rely on a user clicking on links on that are supplied to them by attackers masquerading as a trusted resource such as a bank or online auction site. The end user's email client hosts the supplid resource name in this case via email. The resource name, however may either 1) direct the client browser to a malicious site to steal credentical and/or 2) execute code on the client machine to probe the victim's host system and network environment.
|
| Attacker Skill or Knowledge Required |
Low → To achieve a redirection and use of less trusted source, an attacker can simply edit data that the host uses to build the filename
Medium → Deploying a malicious "look a like" site (such as a site masquerading as a bank or online auction site) that the user enters their authentication data into.
High → Exploiting a client side vulnerability to inject malicious scripts into the browser’s executable process.
|
| Solutions and Mitigations |
Design: Use browser technologies that do not allow client side scripting.
Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.
Implementation: Perform input validation for all remote content.
Implementation: Perform output validation for all remote content.
Implementation: Disable scripting languages such as Javascript in browser
Implementation: Scan dynamically generated content against validation specification
|
| Attack Motivation-Consequences | - Privilege Escalation
- Run Arbitrary Code
- Denial of Service
- Information Leakage
|
| Context Description |
“Attack Pattern: User-Controlled Filename
An unfiltered, user-controlled filename can be used to construct client HTML. Perhaps HTML text is being built from filenames. This can be the case if a Web server is exposing a directory on the file system, for example. If the server does not filter certain characters, the filename itself can include an XSS attack."
[Hoglund and McGraw 04]
|
| Injection Vector |
Payload delivered through user controlled filename.
|
| Payload |
Command(s) executed directly on host
|
| Activation Zone |
Client machine and client network
|
| Payload Activation Impact |
Enables attacker to execute server side code with any commands that the program owner has privileges to.
|
| Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 20 | Insufficient Input Validation | Targeted | | 184 | Incomplete Blacklist | Secondary | | 96 | Insufficient Control of Directives in Statically Saved Code (Static Code Injection) | Targeted | | 348 | Use of Less Trusted Source | Targeted | | 116 | Incorrect Output Sanitization | Targeted | | 350 | Improperly Trusted Reverse DNS | Targeted | | 86 | Invalid Characters in Identifiers | Secondary |
|
| Related Attack Patterns | | ID | Name | Relationship Type | Relationship Description |
|---|
| 63 | Simple Script Injection | More Detailed | |
|
| Purpose | Penetration Exploitation |
| CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | High |
|
| Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
|
| References |
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.
|
| Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-01-01 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Gunnar Peterson | Cigital, Inc | 2007-02-28 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | | Sean Barnum | Cigital, Inc | 2007-03-09 | Review and revise | | Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Related Attack Patterns | | Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback |
|
