Cross-Site Scripting Using Alternate Syntax
Attack Pattern ID: 199 (Standard Attack Pattern Completeness: Stub)Typical Severity: MediumStatus: Draft
+ Description

Summary

The attacker uses an alternate form of a key word or command that results in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible. The attack can result in the execution of otherwise prohibited functionality.

+ Attack Prerequisites

The target web site must not adequately filter alternate syntax in web input.

+ Resources Required

The attacker must trick the victim into following a crafted link to a vulnerable server or view a web post where the dangerous commands are executed.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
79Failure to Preserve Web Page Structure ('Cross-site Scripting')Targeted
87Failure to Sanitize Alternate XSS SyntaxTargeted
+ Related Vulnerabilities
Vulnerability IDRelationship Description
CVE-2002-0738

MHonArc 2.5.2 and earlier does not properly filter Javascript from archived e-mail messages, which could allow remote attackers to execute script in web clients by (1) splitting the SCRIPT tag into smaller pieces, (2) including the script in a SRC argument to an IMG tag, or (3) using "&={script}" syntax.

+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern18Embedding Scripts in Nonscript Elements 
Mechanism of Attack (primary)1000
Back to top