CAPEC-592: Stored XSS

Description
An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently "stored" within the data storage of a vulnerable web application as valid input.
Extended Description

Initially presented by an adversary to the vulnerable web application, the malicious script is incorrectly considered valid input and is not properly encoded by the web application. A victim is then convinced to use the web application in a way that creates a response that includes the malicious script. This response is subsequently sent to the victim and the malicious script is executed by the victim's browser. To launch a successful Stored XSS attack, an adversary looks for places where stored input data is used in the generation of a response. This often involves elements that are not expected to host scripts such as image tags (<img>), or the addition of event attributes such as onload and onmouseover. These elements are often not subject to the same input validation, output encoding, and other content filtering and checking routines.

Severity :

Very High

Possibility :

High

Type :

Detailed
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-18: XSS Targeting Non-Script Elements XSS Targeting Non-Script Elements CAPEC-32: XSS Through HTTP Query Strings XSS Through HTTP Query Strings CAPEC-63: Cross-Site Scripting (XSS) Cross-Site Scripting (XSS) CAPEC-73: User-Controlled Filename User-Controlled Filename CAPEC-86: XSS Through HTTP Headers XSS Through HTTP Headers CAPEC-93: Log Injection-Tampering-Forging Log Injection-Tampering-Forging CAPEC-198: XSS Targeting Error Pages XSS Targeting Error Pages CAPEC-199: XSS Using Alternate Syntax XSS Using Alternate Syntax CAPEC-209: XSS Using MIME Type Mismatch XSS Using MIME Type Mismatch CAPEC-243: XSS Targeting HTML Attributes XSS Targeting HTML Attributes CAPEC-244: XSS Targeting URI Placeholders XSS Targeting URI Placeholders CAPEC-245: XSS Using Doubled Characters XSS Using Doubled Characters CAPEC-247: XSS Using Invalid Characters XSS Using Invalid Characters
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • An application that leverages a client-side web browser with scripting enabled.
  • An application that fails to adequately sanitize or encode untrusted input.
  • An application that stores information provided by the user in data storage of some kind.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium Requires the ability to write scripts of varying complexity and to inject them through user controlled fields within the application.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

None: No specialized resources are required to execute this type of attack.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visit http://capec.mitre.org/ for more details.