CAPEC-468

Generic Cross-Browser Cross-Domain Theft
Mittel
Draft
2014-06-23
00h00 +00:00
2022-02-22
00h00 +00:00
CAPEC Mitre.org
Benachrichtigung für ein CAPEC
Bleiben Sie über alle Änderungen zu einem bestimmten CAPEC informiert.
Benachrichtigungen verwalten

CAPEC-Beschreibungen

An attacker makes use of Cascading Style Sheets (CSS) injection to steal data cross domain from the victim's browser. The attack works by abusing the standards relating to loading of CSS: 1. Send cookies on any load of CSS (including cross-domain) 2. When parsing returned CSS ignore all data that does not make sense before a valid CSS descriptor is found by the CSS parser.

CAPEC-Informationen

Voraussetzungen

No new lines can be present in the injected CSS stringProper HTML or URL escaping of the " and ' characters is not presentThe attacker has control of two injection points: pre-string and post-string

Erforderliche Kenntnisse

Ability to craft a CSS injection

Erforderliche Ressourcen

Attacker controlled site/page to render a page referencing the injected CSS string

Gegenmaßnahmen

Design: Prior to performing CSS parsing, require the CSS to start with well-formed CSS when it is a cross-domain load and the MIME type is broken. This is a browser level fix.
Implementation: Perform proper HTML encoding and URL escaping

Verwandte Schwachstellen

CWE-ID Name der Schwachstelle

CWE-707

 Improper Neutralization
The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

CWE-149

 Improper Neutralization of Quoting Syntax
Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.

CWE-177

 Improper Handling of URL Encoding (Hex Encoding)
The product does not properly handle when all or part of an input has been URL encoded.

CWE-838

 Inappropriate Encoding for Output Context
The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.

Referenzen

REF-405

Generic cross-browser cross-domain theft
Chris Evans.
http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html

Einreichung

Name Organisation Datum Veröffentlichungsdatum
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Änderungen

Name Organisation Datum Kommentar
CAPEC Content Team The MITRE Corporation 2015-11-09 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2015-12-07 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2020-12-17 +00:00 Updated Mitigations
CAPEC Content Team The MITRE Corporation 2022-02-22 +00:00 Updated Description, Extended_Description
Die auf CVE Find präsentierten Informationen stammen aus mehreren sorgfältig ausgewählten Referenzquellen. CVE-Daten werden von der MITRE Corporation und der National Vulnerability Database (NVD) bereitgestellt. Der Katalog bekannter ausgenutzter Schwachstellen (KEV) stammt von der Cybersecurity and Infrastructure Security Agency (CISA), während EPSS-Scores von FIRST.org kommen. Darüber hinaus werden Daten zu Software-Schwachstellen (CWE) und häufigen Angriffsmustern (CAPEC) von der MITRE Corporation gepflegt, und Informationen zu Hardware- und Software-Konfigurationen (CPE) werden von der NVD bereitgestellt.