CAPEC-199: XSS Using Alternate Syntax

Description

An adversary uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.

Extended Description

When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the adversary the infected error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception.

Severity :

High

Possibility :

High

Type :

Detailed

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-588: DOM-Based XSS DOM-Based XSS CAPEC-591: Reflected XSS Reflected XSS CAPEC-592: Stored XSS Stored XSS

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Target client software must allow scripting such as JavaScript.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Low To inject the malicious payload in a web page
High To bypass non trivial filters in the application

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

Ability to send HTTP request to a web application.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-87: Improper Neutralization of Alternate XSS Syntax

Visit http://capec.mitre.org/ for more details.