Name Embedding Scripts in HTTP Query Strings
Summary A variant of cross-site scripting called "reflected" cross-site scripting, the HTTP Query Strings attack consists of passing a malicious script inside an otherwise valid HTTP request query string. This is of significant concern for sites that rely on dynamic, user-generated content such as bulletin boards, news sites, blogs, and web enabled administration GUIs. The malicious script may steal session data, browse history, probe files, or otherwise execute attacks on the client side. Once the attacker has prepared the malicious HTTP query it is sent to a victim user (perhaps by email, IM, or posted on an online forum), who clicks on a normal looking link that contains a poison query string. This technique can be made more effective through the use of services like http://tinyurl.com/, which makes very small URLs that will redirect to very large, complex ones. The victim will not know what he is really clicking on.
Prerequisites Target client software must allow scripting such as JavaScript. Server software must allow display of remote generated HTML without sufficient input or output validation.
Solutions Design: Use browser technologies that do not allow client side scripting. Design: Utilize strict type, character, and encoding enforcement Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from. Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification. Implementation: Perform input validation for all remote content, including remote and user-generated content Implementation: Perform output validation for all remote content. Implementation: Disable scripting languages such as JavaScript in browser Implementation: Session tokens for specific host Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this. Implementation: Privileges are constrained, if a script is loaded, ensure system runs in chroot jail or other limited authority mode
Related Weaknesses
CWE ID Description
CWE-20 Improper Input Validation
CWE-71 Apple '.DS_Store'
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-84 Improper Neutralization of Encoded URI Schemes in a Web Page
CWE-85 Doubled Character XSS Manipulations
CWE-86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
CWE-692
CWE-697 Insufficient Comparison
CWE-713
Back to Top