Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript
Attack Pattern ID: 245 (Detailed Attack Pattern Completeness: Stub)Typical Severity: MediumStatus: Draft
+ Description


The attacker bypasses input validation by using doubled characters in order to perform a cross-site scripting attack. Some filters fail to recognize dangerous sequences if they are preceded by repeated characters. For example, by doubling the < before a script command, (<<script or %3C%3script using URI encoding) the filters of some web applications may fail to recognize the presence of a script tag. If the targeted server is vulnerable to this type of bypass, the attacker can create a crafted URL or other trap to cause a victim to view a page on the targeted server where the malicious content is executed, as per a normal XSS attack.

+ Attack Prerequisites

The targeted web application does not fully normalize input before checking for prohibited syntax. In particular, it must fail to recognize prohibited methods preceded by certain sequences of repeated characters.

+ Resources Required

The attacker must trick the victim into following a crafted link to a vulnerable server or view a web post where the dangerous commands are executed.

+ Solutions and Mitigations

Design: Use libraries and templates that minimize unfiltered input.

Implementation: Normalize, filter and sanitize all user supplied fields.

Implementation: The victim should configure the browser to minimize active content from untrusted sources.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
79Failure to Preserve Web Page Structure ('Cross-site Scripting')Targeted
85Doubled Character XSS ManipulationsTargeted
+ Related Vulnerabilities
Vulnerability IDRelationship Description

The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allows remote attackers to bypass XSS protection and inject arbitrary script or HTML via repeated, improperly-ordered "<" and ">" characters in the (1) issue parameter to scripts2/knowlegebase, (2) user parameter to scripts2/changeip, (3) search parameter to scripts2/listaccts, and other unspecified vectors.

+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern18Embedding Scripts in Nonscript Elements 
Mechanism of Attack (primary)1000