CAPEC 91

Summary

Attack Execution Flow

1. Spider:

   Using a browser , an attacker is looking at the application to figure out if it allows to specify images, upload them, etc.

   Attack Step Techniques

   ID	Attack Step Technique Description	Environments
   1	Use a browser to manually explore the website and identify entry points where the application allows the upload (or other means of specification) of images. Many browsers' plugins are available to facilitate the analysis or automate the discovery.	env-Web

   Indicators

   ID	type	Indicator Description	Environments
   1	Positive	The application has image upload functionality.	env-Web
   2	Positive	The application allows users to point to or otherwise specify images.	env-Web
   3	Inconclusive	No parameters appear to be used on the current page. Even though none appear, the web application may still use them if they are provided.	env-Web
   4	Negative	Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.	env-Web

   Outcomes

   ID	type	Outcome Description
   1	Success	A list entry points where images can be specified.

   Security Controls

   ID	type	Security Control Description
   1	Preventative	Do not allow user upload or specification of images
   2	Preventative	Proceed to a temporary account lockout when the user does too many suspicious attempts using image upload.

1. Probe identified potential entry points for XSS vulnerability:

   The attacker uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.

   Attack Step Techniques

   ID	Attack Step Technique Description	Environments
   1	Manually inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side non-script elements context and observe system behavior to determine if script was executed.	env-Web
   2	Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side non-script elements context and observe system behavior to determine if script was executed.	env-Web
   3	Use a proxy tool to record results of the created requests.	env-Web

   Indicators

   ID	type	Indicator Description	Environments
   1	Positive	The output of pages includes image tags specified by users.	env-Web
   2	Positive	Output to the browser is not encoded to remove executable scripting syntax.	env-Web

   Outcomes

   ID	type	Outcome Description
   1	Success	The attacker's script string is being reflected verbatim at some point in the web site (if not on the same page). Note that sometimes, the payload might be well encoded in the page, but wouldn't be encoded at all in some other section of the same web page (title, etc.)
   2	Failure	All context-sensitive characters are consistently re-encoded before being sent to the web browser. For example, in a HTML tag element, the payload may not be able to evade the quotes in order to inject another attribute.
   3	Inconclusive	Some sensitive characters are consistently encoded, but others are not. Depending on which type of non-script element the payload is injected in, it may be possible to evade the encodings.

   Security Controls

   ID	type	Security Control Description
   1	Detective	Monitor input to web servers (not only GET, but all potential inputs like COOKIES, POST, HEADER), application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard XSS probes. The majority of attackers use well known strings to check for vulnerabilities. Use the same vulnerability catalogs that hackers use.
   2	Preventative	Apply appropriate input validation to filter all user-controllable input of scripting syntax
   3	Preventative	Appropriately encode all browser output to avoid scripting syntax
   4	Preventative	Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.

1. Steal session IDs, credentials, page content, etc.:

   As the attacker succeeds in exploiting the vulnerability, he can choose to steal user's credentials in order to reuse or to analyze them later on.

   Attack Step Techniques

   ID	Attack Step Technique Description	Environments
   1	Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker.	env-Web
   2	Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately.	env-Web

   Outcomes

   ID	type	Outcome Description
   1	Success	The attacker gets the user's cookies or other session identifiers.
   2	Success	The attacker gets the content of the page the user is viewing.
   3	Success	The attacker causes the user's browser to visit a page with malicious content.

   Security Controls

   ID	type	Security Control Description
   1	Detective	Monitor server logs for scripting parameters.
   2	Detective	Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
   3	Preventative	Apply appropriate input validation to filter all user-controllable input of scripting syntax
   4	Preventative	Appropriately encode all browser output to avoid scripting syntax
   5	Preventative	Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.

2. Forceful browsing:

   When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).

   Attack Step Techniques

   ID	Attack Step Technique Description	Environments
   1	Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site	env-Web
   2	Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).	env-Web

   Outcomes

   ID	type	Outcome Description
   1	Success	The attacker indirectly controls the user's browser and makes it performing actions exploiting CSRF.
   2	Success	The attacker manipulates the browser through the steps that he designed in his attack. The user, identified on a website, is now performing actions he is not aware of.

   Security Controls

   ID	type	Security Control Description
   1	Detective	Monitor server logs for scripting parameters.
   2	Detective	Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
   3	Preventative	Apply appropriate input validation to filter all user-controllable input of scripting syntax
   4	Preventative	Appropriately encode all browser output to avoid scripting syntax
   5	Preventative	Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.

3. Content spoofing:

   By manipulating the content, the attacker targets the information that the user would like to get from the website.

   Attack Step Techniques

   ID	Attack Step Technique Description	Environments
   2	Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page.	env-Web

   Outcomes

   ID	type	Outcome Description
   1	Success	The user sees a page containing wrong information

   Security Controls

   ID	type	Security Control Description
   1	Detective	Monitor server logs for scripting parameters.
   2	Detective	Monitor server logs for referrers. If users are being tricked into clicking XSS links through forums or other web postings, their web browsers will be providing Referrer headers most of the time. These can help indicate that the actual request is illegitimate.
   3	Preventative	Apply appropriate input validation to filter all user-controllable input of scripting syntax
   4	Preventative	Appropriately encode all browser output to avoid scripting syntax
   5	Preventative	Actively monitor the application and either deny or redirect requests from origins that appear to be generating XSS probes.

Likelihood: High

Techniques for discovery of XSS as well as tools and means to exploit them are fairly widely available and understood

Description

Skill or Knowledge Level: Medium

Besides the ability to figure out possibilities of injection, the attacker requires moderate scripting skills to successfully leverage cross site scripting in image tags

In addition to the traditional input fields, all other user controllable inputs, such as image tags within messages or the likes, must also be subjected to input validation. Such validation should ensure that content that can be potentially interpreted as script by the browser is appropriately filtered.

All output displayed to clients must be properly escaped. Escaping ensures that the browser interprets special scripting characters literally and not as script to be executed.