Cross Site Scripting through Log Files |
Attack Pattern ID: 106 (Standard Attack Pattern Completeness: Complete) | Typical Severity: High | Status: Draft |
Summary
An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attacker's scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
Attack Execution Flow
Probe for log injection vulnerability:
The attacker probes all user-controllable data inputs to the system to probe for log injection vulnerabilities. This may be difficult (unless the attacker has a white box view of the system) because there may not be a feedback event to indicate to the attacker that certain information is being logged.
Outcomes
ID type Outcome Description 1 Success User injected input shows up in the logsSecurity Controls
ID type Security Control Description 1 Preventative Apply appropriate input validation and filtering of user-controllable input before writing to logsProbe for cross-site scripting vulnerability:
The attacker probes all user-controllable data inputs to the system to probe for any cross-site scripting vulnerabilities. Cross-site scripting vulnerabilities identified anywhere in the application indicate an increased potential that such vulnerabilities may exist in the log management portions of the application.
Outcomes
ID type Outcome Description 1 Success Attacker-injected script is executed in user's browser.Security Controls
ID type Security Control Description 1 Preventative HTML encode all log contents before displaying in log management interfaces.
Confirm exploitability:
Create a simple script and inject it into one of the potentially vulnerable fields. This script should take some action which will give an attacker an indication that the attack vector exists.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 The idea is to receive some sort of a feedback event that confirms that an attack is succeeding. That is done with a simple script prior to crafting possibly a more complex script to launch an actual attack.
env-WebOutcomes
ID type Outcome Description 1 Success Expected script execution feedback event is observed.
SecurityDatabase\Alert\Inject System Logs with Malicious Scripts:
Create a malicious script to run in the administrator's web based interface and inject it in the system's logs through one of the user controlled fields that are being logged.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 SecurityDatabase\Alert\Inject the vulnerable fields by tampering with their values to contain the malicious scripts. Possibly trigger another event that makes it more likely that injected logs are viewed in the vulnerable UI as soon as possible.
env-Web
The system uses a web based interface
The system does not cleanse / validate user supplied data before writing it to logs
Information from logs is displayed in a web based interface
The web based log interface does not HTML output encode the log data prior to displaying it in the administrator console.
Description
An attacker determines that a particular system uses a web based interface for administration. The attacker creates a new user record and supplies a malicious script in the user name field. The script will steal the administrator's authentication cookie and forward it to a site controlled by the attacker. The user name field is not validated by the system and is logged as is in the log. At some point later, an administrator reviews the log activity in the administrative console. When the administrator comes across the attacker's activity record, the malicious script is executed in the context of the attacker's browser, stealing the administrator's authentication cookie and forwarding it to the attacker. An attacker then uses the received authentication cookie to log in to the system as an administrator, assuming that the administrator console can be accessed remotely.
Skill or Knowledge Level: Low
Requires to ability to write a simple scipt and try to inject it through various user controlled fields in the system.
Locate system screens for operations that are likely to be logged and use these as starting points for injection
Cleanse all user supplied data before placing it in the logs. Reject all bad data. Ensure that the data is in the expected form.
Use proper HTML output encoding techniques to strip the log data of potentially dangerous scripting characters before displaying it in the administrative console
If possible, disable script execution in the administrative interface.
- Information Leakage
- Privilege Escalation
- Run Arbitrary Code
- Data Modification
Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
---|---|---|---|---|---|
ChildOf | Attack Pattern | 18 | Embedding Scripts in Nonscript Elements | Mechanism of Attack (primary)1000 | |
ChildOf | Attack Pattern | 63 | Simple Script Injection | Script injection attack pattern is one of the components of the current attack pattern | Mechanism of Attack1000 |
ChildOf | Attack Pattern | 93 | Log Injection-Tampering-Forging | Log injection attack pattern is one of the components of the current attack pattern | Mechanism of Attack1000 |
HTML output encode all data prior to writing to an HTML page
Properly validate and cleanse/reject user supplied data before writing it to log files