CAPEC - CAPEC-243: XSS Targeting HTML Attributes (Version 3.9)


CAPEC Common Attack Pattern Enumeration and Classification A Community Resource for Identifying and Understanding Attacks	New to CAPEC? Start Here

Home > CAPEC List > CAPEC-243: XSS Targeting HTML Attributes (Version 3.9)

CAPEC-243: XSS Targeting HTML Attributes

Attack Pattern ID: 243

Abstraction: Detailed

View customized information:

Description

An adversary inserts commands to perform cross-site scripting (XSS) actions in HTML attributes. Many filters do not adequately sanitize attributes against the presence of potentially dangerous commands even if they adequately sanitize tags. For example, dangerous expressions could be inserted into a style attribute in an anchor tag, resulting in the execution of malicious code when the resulting page is rendered. If a victim is tricked into viewing the rendered page the attack proceeds like a normal XSS attack, possibly resulting in the loss of sensitive cookies or other malicious activities.

Typical Severity

Medium

Relationships

Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

Nature	Type	ID	Name
ChildOf	Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	588	DOM-Based XSS
ChildOf	Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	591	Reflected XSS
ChildOf	Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	592	Stored XSS

Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Inject Unexpected Items

Execution Flow

Explore

Survey the application for user-controllable inputs: Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.

Techniques
Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.
Use a proxy tool to record all links visited during a manual traversal of the web application.
Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

Experiment

Probe identified potential entry points for XSS targeting HTML attributes: The adversary uses the entry points gathered in the "Explore" phase as a target list and injects various malicious expressions as input, hoping to embed them as HTML attributes.

Techniques
Inject single and double quotes into URL parameters or other inputs to see if they are filtered out. Also use URL encoding to bypass filters.
Use single or double quotes to close attribute evaluation and enter a new attribute that contains an expression.

Craft malicious XSS URL: Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.
Techniques
Execute a script using an expression embedded in an HTML attribute, which avoids needing to inject a script tag.
Send information gathered from the malicious script to a remote endpoint.

Techniques
Execute a script using an expression embedded in an HTML attribute, which avoids needing to inject a script tag.
Send information gathered from the malicious script to a remote endpoint.

Exploit

Get victim to click URL: In order for the attack to be successful, the victim needs to access the malicious URL.

Techniques
Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.
Put the malicious URL on a public forum, where many victims might accidentally click the link.

Prerequisites

The target application must fail to adequately sanitize HTML attributes against the presence of dangerous commands.

Resources Required

The adversary must trick the victim into following a crafted link to a vulnerable server or view a web post where the dangerous commands are executed.

Mitigations

Design: Use libraries and templates that minimize unfiltered input.

Implementation: Normalize, filter and use an allowlist for all input including that which is not expected to have any scripting content.

Implementation: The victim should configure the browser to minimize active content from untrusted sources.

Related Weaknesses

Section HelpA Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful. If multiple weaknesses are associated with the attack pattern, then any of the weaknesses (but not necessarily all) may be present for the attack to be successful. Each related weakness is identified by a CWE identifier.

CWE-ID	Weakness Name
83	Improper Neutralization of Script in Attributes in a Web Page

References

[REF-94] Jeremiah Grossman. "Attribute-Based Cross-Site Scripting". <http://jeremiahgrossman.blogspot.com/2007/07/attribute-based-cross-site-scripting.html>.

Content History

Submissions
Submission Date	Submitter	Organization
2014年06月23日 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014年06月23日 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017年05月01日 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017年05月01日 (Version 2.10)	Updated Description Summary, Related_Attack_Patterns, Related_Weaknesses
2018年07月31日 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018年07月31日 (Version 2.12)	Updated Description Summary
2020年07月30日 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020年07月30日 (Version 3.3)	Updated Mitigations
2022年02月22日 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022年02月22日 (Version 3.7)	Updated Execution_Flow, Resources_Required
Previous Entry Names
Change Date	Previous Entry Name
2017年05月01日 (Version 2.10)	Cross-Site Scripting in Attributes
2018年07月31日 (Version 2.12)	XSS Targetting HTML Attributes

More information is available — Please select a different filter.

Page Last Updated or Reviewed: July 31, 2018


MITRE	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| CAPEC on Twitter CAPEC on LinkedIn CAPEC on YouTube CAPEC Out-of-Bounds-Read Podcast CAPEC Blog on Medium Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the associated references from this website are subject to the Terms of Use. Copyright © 2007–2025, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.	HSSEDI

Common Attack Pattern Enumeration and Classification

CAPEC-243: XSS Targeting HTML Attributes