Cross-Site Scripting via Encoded URI Schemes
Attack Pattern ID: 244 (Detailed Attack Pattern Completeness: Stub)Typical Severity: MediumStatus: Draft
+ Description


The attacker bypasses web application filtering by using alternate character encoding in order to execute a cross-site scripting (XSS) attack. The attacker may use alternate encoding schemes such as URI or Unicode character encodings. As long as the comparison between the string containing the alternate encoded character(s) and the target string is done before the input is fully normalized the comparison may fail to detect prohibited commands. Once filters are bypassed, the attack proceeds as a normal XSS attack, potentially resulting in the loss of sensitive cookies or other actions.

+ Attack Prerequisites

The target must not completely normalize user input before filtering prohibited identifiers.

+ Resources Required

The attacker must trick the victim into following a crafted link to a vulnerable server or view a web post where the dangerous commands are executed.

+ Solutions and Mitigations

Design: Use libraries and templates that minimize unfiltered input.

Implementation: Normalize, filter and white list any input that will be included in any subsequent web pages or back end operations.

Implementation: The victim should configure the browser to minimize active content from untrusted sources.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
79Failure to Preserve Web Page Structure ('Cross-site Scripting')Targeted
84Failure to Resolve Encoded URI Schemes in a Web PageTargeted
+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern18Embedding Scripts in Nonscript Elements 
Mechanism of Attack (primary)1000