An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.

How does a Cross Zone Scripting attack work?

It typically unfolds over 3 phases. It begins with: [Find systems susceptible to the attack] Find systems that contain functionality that is accessed from both the internet zone and the local zone. There needs to be a way to supply input to that functionality from the internet zone and that original input needs to be used later on a page from a local zone.

What weaknesses does CAPEC-104 target?

CAPEC-104 exploits 5 CWE weaknesses, including CWE-20 (Improper Input Validation), CWE-116 (Improper Encoding or Escaping of Output), CWE-250 (Execution with Unnecessary Privileges), CWE-285 (Improper Authorization).

How severe is CAPEC-104?

MITRE rates CAPEC-104 as High severity with medium likelihood of attack.

CAPEC-104: Cross Zone Scripting

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Find systems susceptible to the attack] Find systems that contain functionality that is accessed from both the internet zone and the local zone. There needs to be a way to supply input to that functionality from the internet zone and that original input needs to be used later on a page from a local zone.
- Leverage knowledge of common local zone functionality on targeted platforms to guide attempted injection of code through relevant internet zone mechanisms. In some cases this may be due to standard system configurations enabling shared functionality between internet and local zones. The attacker can search for indicators that these standard configurations are in place.
Step 2
Experiment
[Find the insertion point for the payload] The attacker first needs to find some system functionality or possibly another weakness in the system (e.g. susceptibility to cross site scripting) that would provide the attacker with a mechanism to deliver the payload (i.e. the code to be executed) to the user. The location from which this code is executed in the user's browser needs to be within the local machine zone.
- Finding weaknesses in functionality used by both privileged and unprivileged users.
Step 3
Exploit
[Craft and inject the payload] Develop the payload to be executed in the higher privileged zone in the user's browser. Inject the payload and attempt to lure the victim (if possible) into executing the functionality which unleashes the payload.
- The attacker makes it as likely as possible that the vulnerable functionality into which they have injected the payload has a high likelihood of being used by the victim.
- Leverage cross-site scripting vulnerability to inject payload.

How the attack works

CAPEC-104: Cross Zone Scripting

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

Examples

Frequently asked questions

What is CAPEC-104?

How does a Cross Zone Scripting attack work?

How do you prevent CAPEC-104?

What weaknesses does CAPEC-104 target?

How severe is CAPEC-104?

References

Defend against CAPEC-104

How the attack works

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

Examples

Related weaknesses

Related attack patterns

Parent

Frequently asked questions

What is CAPEC-104?

How does a Cross Zone Scripting attack work?

How do you prevent CAPEC-104?

What weaknesses does CAPEC-104 target?

How severe is CAPEC-104?

References

Defend against CAPEC-104