Detailedseverity: MediumDraft

CAPEC-243XSS Targeting HTML Attributes

Abstraction
Detailed
Status
Draft
Severity
Medium

Description

An adversary inserts commands to perform cross-site scripting (XSS) actions in HTML attributes. Many filters do not adequately sanitize attributes against the presence of potentially dangerous commands even if they adequately sanitize tags. For example, dangerous expressions could be inserted into a style attribute in an anchor tag, resulting in the execution of malicious code when the resulting page is rendered. If a victim is tricked into viewing the rendered page the attack proceeds like a normal XSS attack, possibly resulting in the loss of sensitive cookies or other malicious activities.

Related weaknesses· 1

CWE-83

Related attack patterns· 3

CAPEC-591 (ChildOf)CAPEC-592 (ChildOf)CAPEC-588 (ChildOf)

Exploits1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Script in Attributes in a Web Pagecwe-83100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
XSS Targeting URI Placeholders
CAPEC
XSS Through HTTP Query Strings
CAPEC
XSS Through HTTP Headers
CAPEC
XSS Targeting Non-Script Elements
CAPEC
Cross-Site Scripting (XSS)
CAPEC
DOM-Based XSS
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.