Name Embedding Scripts in Non-Script Elements
Summary This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack.
Prerequisites Target client software must be a client that allows script execution based on scripts generated by remote hosts.
Solutions Design: Use browser technologies that do not allow client side scripting. Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification. Implementation: Perform input validation for all remote content. Implementation: Perform output validation for all remote content. Implementation: Disable scripting languages such as JavaScript in browser Implementation: Session tokens for specific host Implementation: Service provider should not use the XMLHttpRequest method to create a local proxy for content from other sites, because the client will not be able to discern what content comes from which host.
Related Weaknesses
CWE ID Description
CWE-20 Improper Input Validation
CWE-71 DEPRECATED: Apple '.DS_Store'
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE-82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
CWE-83 Improper Neutralization of Script in Attributes in a Web Page
CWE-84 Improper Neutralization of Encoded URI Schemes in a Web Page
CWE-86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages
CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CWE-116 Improper Encoding or Escaping of Output
CWE-184 Incomplete Blacklist
CWE-348 Use of Less Trusted Source
CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action
CWE-692 Incomplete Blacklist to Cross-Site Scripting
CWE-697 Incorrect Comparison
CWE-713 OWASP Top Ten 2007 Category A2 - Injection Flaws
Back to Top