Detailedseverity: MediumDraft

CAPEC-247XSS Using Invalid Characters

Abstraction
Detailed
Status
Draft
Severity
Medium

Description

An adversary inserts invalid characters in identifiers to bypass application filtering of input. Filters may not scan beyond invalid characters but during later stages of processing content that follows these invalid characters may still be processed. This allows the adversary to sneak prohibited commands past filters and perform normally prohibited operations. Invalid characters may include null, carriage return, line feed or tab in an identifier. Successful bypassing of the filter can result in a XSS attack, resulting in the disclosure of web cookies or possibly other results.

Related weaknesses· 1

CWE-86

Related attack patterns· 3

CAPEC-591 (ChildOf)CAPEC-592 (ChildOf)CAPEC-588 (ChildOf)

Exploits1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Invalid Characters in Identifiers in Web Pagescwe-86100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
XSS Using Doubled Characters
CAPEC
XSS Using Alternate Syntax
CAPEC
XSS Targeting Non-Script Elements
CAPEC
XSS Through HTTP Query Strings
CAPEC
XSS Targeting HTML Attributes
CAPEC
XSS Through HTTP Headers
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.