Execution Flow
1) Explore
[Survey the application for stored user-controllable inputs] Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application. The adversary is looking for areas where user input is stored, such as user profiles, shopping carts, file managers, forums, blogs, and logs.
Technique
- Use a spidering tool to follow and record all links and analyze the web pages to find entry points.
- Use a proxy tool to record all links visited during a manual traversal of the web application.
- Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.
2) Experiment
[Probe identified potential entry points for stored XSS vulnerability] The adversary uses the entry points gathered in the "Explore" phase as a target list and injects various common script payloads and special characters to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.
Technique
- Use a list of XSS probe strings to submit script in input fields that could be stored by the web application. If possible, the probe strings contain a unique identifier so they can be queried for after submitting to see if they are stored.
- Use a list of HTML special characters to submit in input fields that could be stored by the web application and check if they were properly encoded, replaced, or filtered out.
3) Experiment
[Store malicious XSS content] Once the adversary has determined which stored locations are vulnerable to XSS, they will interact with the web application to store the malicious content. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from a victim.
Technique
- Store a malicious script on a page that will execute when viewed by the victim.
- Use a tool such as BeEF to store a hook into the web application. This will alert the adversary when the victim has accessed the content and will give the adversary control over the victim's browser, allowing them access to cookies, user screenshot, user clipboard, and more complex XSS attacks.
4) Exploit
[Get victim to view stored content] In order for the attack to be successful, the victim needs to view the stored malicious content on the webpage.
Technique
- Send a phishing email to the victim containing a URL that will direct them to the malicious stored content.
- Simply wait for a victim to view the content. This is viable in situations where content is posted to a popular public forum.
Prerequisites
An application that leverages a client-side web browser with scripting enabled.
An application that fails to adequately sanitize or encode untrusted input.
An application that stores information provided by the user in data storage of some kind.
Skills Required
Requires the ability to write scripts of varying complexity and to inject them through user controlled fields within the application.
Resources Required
None: No specialized resources are required to execute this type of attack.
Mitigations
Use browser technologies that do not allow client-side scripting.
Utilize strict type, character, and encoding enforcement.
Ensure that all user-supplied input is validated before being stored.
Related Weaknesses
CWE-ID |
Weakness Name |
CWE-79 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
References
REF-605
OWASP Web Security Testing Guide
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.html
Submission
Name |
Organization |
Date |
Date Release |
CAPEC Content Team |
The MITRE Corporation |
2017-04-15 +00:00 |
Modifications
Name |
Organization |
Date |
Comment |
CAPEC Content Team |
The MITRE Corporation |
2017-08-04 +00:00 |
Updated Resources_Required |
CAPEC Content Team |
The MITRE Corporation |
2019-04-04 +00:00 |
Updated Related_Weaknesses |
CAPEC Content Team |
The MITRE Corporation |
2019-09-30 +00:00 |
Updated Description |
CAPEC Content Team |
The MITRE Corporation |
2020-07-30 +00:00 |
Updated Example_Instances |
CAPEC Content Team |
The MITRE Corporation |
2020-12-17 +00:00 |
Updated References |
CAPEC Content Team |
The MITRE Corporation |
2022-02-22 +00:00 |
Updated Execution_Flow |
CAPEC Content Team |
The MITRE Corporation |
2022-09-29 +00:00 |
Updated Description, Extended_Description |