Dark Mode
Capec-199 Detail
XSS Using Alternate Syntax
Detailed Software Software Software Likelihood: High Typical Severity: High
Parents: 588 591 592
An adversary uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-199 | capec | https://capec.mitre.org/data/definitions/199.html | |
| CWE-87 | cwe | http://cwe.mitre.org/data/definitions/87.html | |
| REF-69 | reference_from_CAPEC | https://www.owasp.org/www-community/xss-filter-evasion-cheatsheet | OWASP Cheatsheets, The Open Web Application Security Project (OWASP) |
| REF-70 | reference_from_CAPEC | http://www.owasp.org/index.php/Testing_for_Cross_site_scripting | OWASP Testing Guide (v2), The Open Web Application Security Project (OWASP) |
| REF-71 | reference_from_CAPEC | http://sla.ckers.org/forum/read.php?24,28687 | Non-alphanumeric XSS cheat sheet |
| REF-72 | reference_from_CAPEC | http://projects.webappsec.org/Cross-Site+Scripting | WASC Threat Classification 2.0, 2010, The Web Application Security Consortium (WASC) |
Explore
-
Survey the application for user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.
| Techniques |
|---|
| Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL. |
| Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms. |
| Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery. |
Experiment
-
Probe identified potential entry points for XSS vulnerability: Possibly using an automated tool, an adversary requests variations on the inputs they surveyed before using alternate syntax. These inputs are designed to bypass incomplete filtering (e.g., incomplete HTML encoding etc.) and try many variations of characters injection that would enable the XSS payload. They record all the responses from the server that include unmodified versions of their script.
-
Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.
| Techniques |
|---|
| Use a list of XSS probe strings to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier. Attempt numerous variations based on form, format, syntax & encoding. |
| Use a proxy tool to record results of manual input of XSS probes in known URLs. |
| Techniques |
|---|
| Change a URL parameter to include a malicious script tag created using alternate syntax to bypass filters. |
| Send information gathered from the malicious script to a remote endpoint. |
Exploit
-
Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.
| Techniques |
|---|
| Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion. |
| Put the malicious URL on a public forum, where many victims might accidentally click the link. |
- Target client software must allow scripting such as JavaScript.
- Ability to send HTTP request to a web application.
| Low | High |
|---|---|
| To inject the malicious payload in a web page | |
| To bypass non trivial filters in the application |
| Integrity | Authorization | Access Control | Accountability | Authentication | Confidentiality | Non-Repudiation |
|---|---|---|---|---|---|---|
| Modify Data | Execute Unauthorized Commands (Run Arbitrary Code) | Bypass Protection Mechanism | Gain Privileges | Gain Privileges | Read Data | Gain Privileges |
| Gain Privileges | ||||||
| Bypass Protection Mechanism |
- In this example, the adversary tries to get executed by the victim's browser. The target application employs regular expressions to make sure no script is being passed through the application to the web page; such a regular expression could be ((?i)script), and the application would replace all matches by this regex by the empty string. An adversary will then create a special payload to bypass this filter: alert(1) when the applications gets this input string, it will replace all "script" (case insensitive) by the empty string and the resulting input will be the desired vector by the adversary: In this example, we assume that the application needs to write a particular string in a client-side JavaScript context (e.g., ). For the adversary to execute the same payload as in the previous example, they would need to send alert(1) if there was no filtering. The application makes use of the following regular expression as filter ((\w+)\s\\(.\\)|alert|eval|function|document) and replaces all matches by the empty string. For example each occurrence of alert(), eval(), foo() or even the string "alert" would be stripped. An adversary will then create a special payload to bypass this filter: this['al' + 'ert'](1) when the applications gets this input string, it won't replace anything and this piece of JavaScript has exactly the same runtime meaning as alert(1). The adversary could also have used non-alphanumeric XSS vectors to bypass the filter; for example, ($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_) would be executed by the JavaScript engine like alert(1) is.