Detailedlikelihood: Highseverity: HighDraft

CAPEC-244XSS Targeting URI Placeholders

Abstraction
Detailed
Status
Draft
Likelihood
High
Severity
High

Description

An attack of this type exploits the ability of most browsers to interpret "data", "javascript" or other URI schemes as client-side executable content placeholders. This attack consists of passing a malicious URI in an anchor tag HREF attribute or any other similar attributes in other HTML tags. Such malicious URI contains, for example, a base64 encoded HTML content with an embedded cross-site scripting payload. The attack is executed when the browser interprets the malicious content i.e., for example, when the victim clicks on the malicious link.

Related weaknesses· 1

CWE-83

Related attack patterns· 3

CAPEC-591 (ChildOf)CAPEC-592 (ChildOf)CAPEC-588 (ChildOf)

Exploits1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Script in Attributes in a Web Pagecwe-83100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
XSS Targeting HTML Attributes
CAPEC
XSS Through HTTP Query Strings
CAPEC
XSS Targeting Non-Script Elements
CAPEC
XSS Through HTTP Headers
CAPEC
Cross-Site Scripting (XSS)
CAPEC
XSS Using MIME Type Mismatch
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.