The adversary bypasses input validation by using doubled characters in order to perform a cross-site scripting attack. Some filters fail to recognize dangerous sequences if they are preceded by repeated characters. For example, by doubling the < before a script command, (<<script or %3C%3script using URI encoding) the filters of some web applications may fail to recognize the presence of a script tag. If the targeted server is vulnerable to this type of bypass, the adversary can create a crafted URL or other trap to cause a victim to view a page on the targeted server where the malicious content is executed, as per a normal XSS attack.

How does a XSS Using Doubled Characters attack work?

It typically unfolds over 4 phases. It begins with: [Survey the application for user-controllable inputs] Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

How do you prevent CAPEC-245?

Design: Use libraries and templates that minimize unfiltered input.

What weaknesses does CAPEC-245 target?

CAPEC-245 exploits 1 CWE weakness, including CWE-85 (Doubled Character XSS Manipulations).

How severe is CAPEC-245?

MITRE rates CAPEC-245 as Medium severity.

CAPEC-245: XSS Using Doubled Characters

Q: How does a XSS Using Doubled Characters attack work?

It typically unfolds over 4 phases. It begins with: [Survey the application for user-controllable inputs] Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

Q: How do you prevent CAPEC-245?

Design: Use libraries and templates that minimize unfiltered input.

Q: What weaknesses does CAPEC-245 target?

CAPEC-245 exploits 1 CWE weakness, including CWE-85 (Doubled Character XSS Manipulations).

Q: How severe is CAPEC-245?

MITRE rates CAPEC-245 as Medium severity.

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Survey the application for user-controllable inputs] Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.
- Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
- Use a proxy tool to record all links visited during a manual traversal of the web application.
- Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
Step 2
Experiment
[Probe identified potential entry points for XSS using double characters] The adversary uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads modified to use double characters and doubled special characters to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.
- Use a list of XSS probe strings using double characters to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier.
- Use a proxy tool to record results of manual input of XSS probes in known URLs.
- Use a list of doubled HTML special characters to inject into parameters of known URLs and check if they were properly encoded, replaced, or filtered out.
Step 3
Experiment
[Craft malicious XSS URL] Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.
- Execute a script using an expression embedded in an HTML attribute, which avoids needing to inject a script tag.
- Send information gathered from the malicious script to a remote endpoint.
Step 4
Exploit
[Get victim to click URL] In order for the attack to be successful, the victim needs to access the malicious URL.
- Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
- Put the malicious URL on a public forum, where many victims might accidentally click the link.

Overview

CAPEC-245: XSS Using Doubled Characters

Overview

How the attack works

What the attacker needs

Prerequisites

Resources required

How to mitigate it

Frequently asked questions

What is CAPEC-245?

How does a XSS Using Doubled Characters attack work?

How do you prevent CAPEC-245?

What weaknesses does CAPEC-245 target?

How severe is CAPEC-245?

References

Defend against CAPEC-245

Overview

Overview

How the attack works

What the attacker needs

Prerequisites

Resources required

How to mitigate it

Related weaknesses

Related attack patterns

Parent

Frequently asked questions

What is CAPEC-245?

How does a XSS Using Doubled Characters attack work?

How do you prevent CAPEC-245?

What weaknesses does CAPEC-245 target?

How severe is CAPEC-245?

References

Defend against CAPEC-245