|Name ||Embedding Scripts in HTTP Query Strings |
|Summary ||A variant of cross-site scripting called "reflected" cross-site scripting, the HTTP Query Strings attack consists of passing a malicious script inside an otherwise valid HTTP request query string. This is of significant concern for sites that rely on dynamic, user-generated content such as bulletin boards, news sites, blogs, and web enabled administration GUIs. The malicious script may steal session data, browse history, probe files, or otherwise execute attacks on the client side. Once the attacker has prepared the malicious HTTP query it is sent to a victim user (perhaps by email, IM, or posted on an online forum), who clicks on a normal looking link that contains a poison query string. This technique can be made more effective through the use of services like http://tinyurl.com/, which makes very small URLs that will redirect to very large, complex ones. The victim will not know what he is really clicking on. |
|Solutions ||Design: Use browser technologies that do not allow client side scripting.
Design: Utilize strict type, character, and encoding enforcement
Design: Server side developers should not proxy content via XHR or other means, if a http proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.
Implementation: Ensure all content that is delivered to client is sanitized against an acceptable content specification.
Implementation: Perform input validation for all remote content, including remote and user-generated content
Implementation: Perform output validation for all remote content.
Implementation: Session tokens for specific host
Implementation: Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.
Implementation: Privileges are constrained, if a script is loaded, ensure system runs in chroot jail or other limited authority mode |
|CWE ID ||Description |
|CWE-20 ||Improper Input Validation |
|CWE-71 ||DEPRECATED: Apple '.DS_Store' |
|CWE-79 ||Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|CWE-84 ||Improper Neutralization of Encoded URI Schemes in a Web Page |
|CWE-85 ||Doubled Character XSS Manipulations |
|CWE-86 ||Improper Neutralization of Invalid Characters in Identifiers in Web Pages |
|CWE-692 ||Incomplete Blacklist to Cross-Site Scripting |
|CWE-697 ||Incorrect Comparison |
|CWE-713 ||OWASP Top Ten 2007 Category A2 - Injection Flaws |