CAPEC - CAPEC-104: Cross Zone Scripting (Version 3.9)


CAPEC Common Attack Pattern Enumeration and Classification A Community Resource for Identifying and Understanding Attacks	New to CAPEC? Start Here

Home > CAPEC List > CAPEC-104: Cross Zone Scripting (Version 3.9)

CAPEC-104: Cross Zone Scripting

Attack Pattern ID: 104

Abstraction: Standard

View customized information:

Description

An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.

Extended Description

In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

Nature	Type	ID	Name
ChildOf	Meta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	233	Privilege Escalation

Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Find systems susceptible to the attack: Find systems that contain functionality that is accessed from both the internet zone and the local zone. There needs to be a way to supply input to that functionality from the internet zone and that original input needs to be used later on a page from a local zone.

Techniques
Leverage knowledge of common local zone functionality on targeted platforms to guide attempted injection of code through relevant internet zone mechanisms. In some cases this may be due to standard system configurations enabling shared functionality between internet and local zones. The attacker can search for indicators that these standard configurations are in place.

Experiment

Find the insertion point for the payload: The attacker first needs to find some system functionality or possibly another weakness in the system (e.g. susceptibility to cross site scripting) that would provide the attacker with a mechanism to deliver the payload (i.e. the code to be executed) to the user. The location from which this code is executed in the user's browser needs to be within the local machine zone.
Techniques
Finding weaknesses in functionality used by both privileged and unprivileged users.

Techniques
Finding weaknesses in functionality used by both privileged and unprivileged users.

Exploit

Craft and inject the payload: Develop the payload to be executed in the higher privileged zone in the user's browser. Inject the payload and attempt to lure the victim (if possible) into executing the functionality which unleashes the payload.

Techniques
The attacker makes it as likely as possible that the vulnerable functionality into which they have injected the payload has a high likelihood of being used by the victim.
Leverage cross-site scripting vulnerability to inject payload.

Prerequisites

The target must be using a zone-aware browser.

Skills Required

[Level: Medium]

Ability to craft malicious scripts or find them elsewhere and ability to identify functionality that is running web controls in the local zone and to find an injection vector into that functionality

Resources Required

None: No specialized resources are required to execute this type of attack.

Consequences

Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality	Read Data
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality Integrity Availability	Execute Unauthorized Commands

Mitigations

Disable script execution.

Ensure that sufficient input validation is performed for any potentially untrusted data before it is used in any privileged context or zone

Limit the flow of untrusted data into the privileged areas of the system that run in the higher trust zone

Limit the sites that are being added to the local machine zone and restrict the privileges of the code running in that zone to the bare minimum

Ensure proper HTML output encoding before writing user supplied data to the page

Example Instances

There was a cross zone scripting vulnerability discovered in Skype that allowed one user to upload a video with a maliciously crafted title that contains a script. Subsequently, when the victim attempts to use the "add video to chat" feature on attacker's video, the script embedded in the title of the video runs with local zone privileges. Skype is using IE web controls to render internal and external HTML pages. "Add video to chat" uses these web controls and they are running in the Local Zone. Any user who searched for the video in Skype with the same keywords as in the title field, would have the attackers' code executing in their browser with local zone privileges to their host machine (e.g. applications on the victim's host system could be executed).

Related Weaknesses

Section HelpA Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful. If multiple weaknesses are associated with the attack pattern, then any of the weaknesses (but not necessarily all) may be present for the attack to be successful. Each related weakness is identified by a CWE identifier.

CWE-ID	Weakness Name
250	Execution with Unnecessary Privileges
638	Not Using Complete Mediation
285	Improper Authorization
116	Improper Encoding or Escaping of Output
20	Improper Input Validation

Taxonomy Mappings

Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014年06月23日 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014年06月23日 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015年12月07日 (Version 2.8)	CAPEC Content Team	The MITRE Corporation
2015年12月07日 (Version 2.8)	Updated Related_Attack_Patterns
2017年08月04日 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017年08月04日 (Version 2.11)	Updated Resources_Required
2020年07月30日 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020年07月30日 (Version 3.3)	Updated Execution_Flow, Related_Attack_Patterns
2022年02月22日 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022年02月22日 (Version 3.7)	Updated Description, Extended_Description

More information is available — Please select a different filter.

Page Last Updated or Reviewed: July 31, 2018


MITRE	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| CAPEC on Twitter CAPEC on LinkedIn CAPEC on YouTube CAPEC Out-of-Bounds-Read Podcast CAPEC Blog on Medium Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the associated references from this website are subject to the Terms of Use. Copyright © 2007–2025, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.	HSSEDI

Common Attack Pattern Enumeration and Classification

CAPEC-104: Cross Zone Scripting