|Name ||Embedding Scripts in Non-Script Elements |
|Summary ||This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements.
As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack. |
|Prerequisites ||Target client software must be a client that allows script execution based on scripts generated by remote hosts. |
|Solutions ||Design: Use browser technologies that do not allow client side scripting.
Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.
Implementation: Perform input validation for all remote content.
Implementation: Perform output validation for all remote content.
Implementation: Session tokens for specific host
Implementation: Service provider should not use the XMLHttpRequest method to create a local proxy for content from other sites, because the client will not be able to discern what content comes from which host. |
|CWE ID ||Description |
|CWE-20 ||Improper Input Validation |
|CWE-71 ||Apple '.DS_Store' |
|CWE-79 ||Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|CWE-80 ||Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
|CWE-82 ||Improper Neutralization of Script in Attributes of IMG Tags in a Web Page |
|CWE-83 ||Improper Neutralization of Script in Attributes in a Web Page |
|CWE-84 ||Improper Neutralization of Encoded URI Schemes in a Web Page |
|CWE-86 ||Improper Neutralization of Invalid Characters in Identifiers in Web Pages |
|CWE-96 ||Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
|CWE-116 ||Improper Encoding or Escaping of Output |
|CWE-184 ||Incomplete Blacklist |
|CWE-348 ||Use of Less Trusted Source |
|CWE-350 ||Reliance on Reverse DNS Resolution for a Security-Critical Action |
|CWE-692 || |
|CWE-697 ||Insufficient Comparison |
|CWE-713 || |