CAPEC-104

Cross Zone Scripting
MEDIUM
HIGH
Draft
2014-06-23 00:00 +00:00
2022-02-22 00:00 +00:00

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.
Alert management

Description

An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.

Informations

Execution Flow

1) Explore

[Find systems susceptible to the attack] Find systems that contain functionality that is accessed from both the internet zone and the local zone. There needs to be a way to supply input to that functionality from the internet zone and that original input needs to be used later on a page from a local zone.

Technique
  • Leverage knowledge of common local zone functionality on targeted platforms to guide attempted injection of code through relevant internet zone mechanisms. In some cases this may be due to standard system configurations enabling shared functionality between internet and local zones. The attacker can search for indicators that these standard configurations are in place.

2) Experiment

[Find the insertion point for the payload] The attacker first needs to find some system functionality or possibly another weakness in the system (e.g. susceptibility to cross site scripting) that would provide the attacker with a mechanism to deliver the payload (i.e. the code to be executed) to the user. The location from which this code is executed in the user's browser needs to be within the local machine zone.

Technique
  • Finding weaknesses in functionality used by both privileged and unprivileged users.

3) Exploit

[Craft and inject the payload] Develop the payload to be executed in the higher privileged zone in the user's browser. Inject the payload and attempt to lure the victim (if possible) into executing the functionality which unleashes the payload.

Technique
  • The attacker makes it as likely as possible that the vulnerable functionality into which they have injected the payload has a high likelihood of being used by the victim.
  • Leverage cross-site scripting vulnerability to inject payload.

Prerequisites

The target must be using a zone-aware browser.

Skills Required

Ability to craft malicious scripts or find them elsewhere and ability to identify functionality that is running web controls in the local zone and to find an injection vector into that functionality

Resources Required

None: No specialized resources are required to execute this type of attack.

Mitigations

Disable script execution.
Ensure that sufficient input validation is performed for any potentially untrusted data before it is used in any privileged context or zone
Limit the flow of untrusted data into the privileged areas of the system that run in the higher trust zone
Limit the sites that are being added to the local machine zone and restrict the privileges of the code running in that zone to the bare minimum
Ensure proper HTML output encoding before writing user supplied data to the page

Related Weaknesses

CWE-ID Weakness Name
CWE-250 Execution with Unnecessary Privileges
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
CWE-638 Not Using Complete Mediation
The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time.
CWE-285 Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-116 Improper Encoding or Escaping of Output
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Submission

Name Organization Date Date Release
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2015-12-07 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2017-08-04 +00:00 Updated Resources_Required
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated Execution_Flow, Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2022-02-22 +00:00 Updated Description, Extended_Description
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.