This type of attack is a form of Cross-site Scripting (XSS) where a malicious script is persistenly “stored” within the data storage of a vulnerable web application. Initially presented by an adversary to the vulnerable web application, the malicious script is incorrectly considered valid input and is not properly encoded by the web application. A victim is then convinced to use the web application in a way that creates a response that includes the malicious script. This response is subsequently sent to the victim and the malicious script is executed by the victim's browser. To launch a successful Stored XSS attack, an adversary looks for places where stored input data is used in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (<img>), or the addition of event attibutes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.
Attack Prerequisites
An application that leverages a client-side web browser with scripting enabled.
An application that fails to adequately sanitize or encode untrusted input.
An application that stores information provided by the user in data storage of some kind.
Typical Severity
Very High
Typical Likelihood of Exploit
Likelihood: High
If this weakness is present in an application, then there is a high likelihood that it will be found and exploited. The prevelance of automated dynamic analysis tools (e.g., fuzzers) have made identifying weaknesses like these achievable by even the most basic adversary. Once identified, this type of weakness can often be exploited with minimal trial and error.
Examples-Instances
Description
An adversary determines that a system uses a web based interface for administration. The adversary creates a new user record and supplies a malicious script in the user name field. The user name field is not validated by the system and a new log entry is created detailing the creation of the new user. Later, an administrator reviews the log in the administrative console. When the administrator comes across the new user entry, the browser sees a script and executes it, stealing the administrator's authentication cookie and forwarding it to the adversary. An adversary then uses the received authentication cookie to log in to the system as an administrator, provided that the administrator console can be accessed remotely.
Description
An online discussion forum allows its members to post HTML-enabled messages, which can also include image tags. An adversary embeds JavaScript in the image tags of his message. The adversary then sends the victim an email advertising free goods and provides a link to the form for how to collect. When the victim visits the forum and reads the message, the malicious script is executed within the victim's browser.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
Requires the ability to write scripts of varying complexity and to inject them through user controlled fields within the application.
Resources Required
No specialized hardware or software resources are required to launch this type of attack.
Probing Techniques
Locate system capabilities within a web application that store user-supplied information without proper encoding or sanitization
Solutions and Mitigations
Use browser technologies that do not allow client-side scripting.
Utilize strict type, character, and encoding enforcement.
Ensure that all user-supplied input is validated before being stored.
Attack Motivation-Consequences
Scope
Technical
Impact
Note
Confidentiality
Read application data
Read files or directories
A successful Stored XSS attack can enable an adversary to exfiltrate sensitive information from the application.
Confidentiality
Authorization
Access_Control
Gain privileges / assume identity
A successful Stored XSS attack can enable an adversary to elevate their privilege level and access functionality they should not otherwise be allowed to access.
Confidentiality
Integrity
Availability
Execute unauthorized code or commands
A successful Stored XSS attack can enable an adversary run arbitrary code of their choosing, thus enabling a complete compromise of the application.
Integrity
Modify memory
Modify files or directories
Modify application data
A successful Stored XSS attack can allow an adversary to tamper with application data.
Cross-site scripting (XSS) vulnerability in Meunity Community System 1.1 allows remote attackers to inject arbitrary web script or HTML via Javascript in an IMG tag when creating a topic.
Firefox Sage extension 1.3.8 and earlier allows remote attackers to execute arbitrary Javascript in the local context via an RSS feed with an img tag containing the script followed by an extra trailing ">", which Sage modifies to close the img element before the malicious script.
More information is available — Please select a different filter.
Page Last Updated or Reviewed:
May 01, 2017
Use of the Common Attack Pattern Enumeration and Classification dictionary and classification taxonomy, and the associated references from this website, are subject to the
Terms of Use. For more information, please email
capec@mitre.org.
Summary
