CAPEC-468 Detail

CAPEC-468

Name

Generic Cross-Browser Cross-Domain Theft

Typical Severity

Medium

Status

Draft

Published

2014-06-23
00h00 +00:00

Modified

2022-02-22
00h00 +00:00

Official links

CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Notifications manage

List of Notifications

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CAPEC ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions CAPEC

An attacker makes use of Cascading Style Sheets (CSS) injection to steal data cross domain from the victim's browser. The attack works by abusing the standards relating to loading of CSS: 1. Send cookies on any load of CSS (including cross-domain) 2. When parsing returned CSS ignore all data that does not make sense before a valid CSS descriptor is found by the CSS parser.

Informations CAPEC

Prerequisites

No new lines can be present in the injected CSS stringProper HTML or URL escaping of the " and ' characters is not presentThe attacker has control of two injection points: pre-string and post-string

Skills Required

Ability to craft a CSS injection

Resources Required

Attacker controlled site/page to render a page referencing the injected CSS string

Mitigations

Design: Prior to performing CSS parsing, require the CSS to start with well-formed CSS when it is a cross-domain load and the MIME type is broken. This is a browser level fix.
Implementation: Perform proper HTML encoding and URL escaping

Related Weaknesses

CWE-ID	Weakness Name
CWE-707	Improper Neutralization The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
CWE-149	Improper Neutralization of Quoting Syntax Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.
CWE-177	Improper Handling of URL Encoding (Hex Encoding) The product does not properly handle when all or part of an input has been URL encoded.
CWE-838	Inappropriate Encoding for Output Context The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.

References

REF-405

Generic cross-browser cross-domain theft
Chris Evans.
http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html

Submission

Name	Organization	Date	Date release
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Name	Organization	Date	Comment
CAPEC Content Team	The MITRE Corporation	2015-11-09 +00:00	Updated Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2015-12-07 +00:00	Updated Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2020-12-17 +00:00	Updated Mitigations
CAPEC Content Team	The MITRE Corporation	2022-02-22 +00:00	Updated Description, Extended_Description