Home > CAPEC List > CAPEC-243: XSS Targetting HTML Attributes (Version 2.11)  

CAPEC-243: XSS Targetting HTML Attributes

XSS Targetting HTML Attributes
Definition in a New Window Definition in a New Window
Attack Pattern ID: 243
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An adeversary inserts commands to perform cross-site scripting (XSS) actions in HTML attributes. Many filters do not adequately sanitize attributes against the presence of potentially dangerous commands even if they adequately sanitize tags. For example, dangerous expressions could be inserted into a style attribute in an anchor tag, resulting in the execution of malicious code when the resulting page is rendered. If a victim is tricked into viewing the rendered page the attack proceeds like a normal XSS attack, possibly resulting in the loss of sensitive cookies or other malicious activities.

+ Attack Prerequisites
  • The target application must fail to adequately sanitize HTML attributes against the presence of dangerous commands.

+ Typical Severity


+ Resources Required

The attacker must trick the victim into following a crafted link to a vulnerable server or view a web post where the dangerous commands are executed.

+ Solutions and Mitigations

Design: Use libraries and templates that minimize unfiltered input.

Implementation: Normalize, filter and white list all input including that which is not expected to have any scripting content.

Implementation: The victim should configure the browser to minimize active content from untrusted sources.

+ References
[R.243.1] Jeremiah Grossman. "Attribute-Based Cross-Site Scripting". <http://jeremiahgrossman.blogspot.com/2007/07/attribute-based-cross-site-scripting.html>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated Description Summary, Related_Attack_Patterns, Related_WeaknessesInternal
Previous Entry Names
DatePrevious Entry Name
2017-05-01Cross-Site Scripting in Attributes

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017