|Name ||Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript |
|Summary ||The attacker bypasses input validation by using doubled characters in order to perform a cross-site scripting attack. Some filters fail to recognize dangerous sequences if they are preceded by repeated characters. For example, by doubling the < before a script command, (<<script or %3C%3script using URI encoding) the filters of some web applications may fail to recognize the presence of a script tag. If the targeted server is vulnerable to this type of bypass, the attacker can create a crafted URL or other trap to cause a victim to view a page on the targeted server where the malicious content is executed, as per a normal XSS attack. |
|Prerequisites ||The targeted web application does not fully normalize input before checking for prohibited syntax. In particular, it must fail to recognize prohibited methods preceded by certain sequences of repeated characters. |
|Solutions ||Design: Use libraries and templates that minimize unfiltered input.
Implementation: Normalize, filter and sanitize all user supplied fields.
Implementation: The victim should configure the browser to minimize active content from untrusted sources. |
|CWE ID ||Description |
|CWE-79 ||Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|CWE-85 ||Doubled Character XSS Manipulations |