CAPEC-468 Détail

CAPEC-468

Nom

Generic Cross-Browser Cross-Domain Theft

Gravité typique

Moyen

Statut

Draft

Publié

2014-06-23
00h00 +00:00

Modifié

2022-02-22
00h00 +00:00

Liens officiels

CAPEC Mitre.org

Alerte pour un CAPEC

Restez informé de toutes modifications pour un CAPEC spécifique.

Gestion des notifications

Liste des Notifications

Alerte pour un CAPEC

Restez informé de toutes modifications pour un CAPEC spécifique.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez le CAPEC ID que vous désirez surveiller.

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Descriptions du CAPEC

An attacker makes use of Cascading Style Sheets (CSS) injection to steal data cross domain from the victim's browser. The attack works by abusing the standards relating to loading of CSS: 1. Send cookies on any load of CSS (including cross-domain) 2. When parsing returned CSS ignore all data that does not make sense before a valid CSS descriptor is found by the CSS parser.

Informations du CAPEC

Conditions préalables

No new lines can be present in the injected CSS stringProper HTML or URL escaping of the " and ' characters is not presentThe attacker has control of two injection points: pre-string and post-string

Compétences requises

Ability to craft a CSS injection

Ressources nécessaires

Attacker controlled site/page to render a page referencing the injected CSS string

Atténuations

Design: Prior to performing CSS parsing, require the CSS to start with well-formed CSS when it is a cross-domain load and the MIME type is broken. This is a browser level fix.
Implementation: Perform proper HTML encoding and URL escaping

Faiblesses connexes

CWE-ID	Nom de la faiblesse
CWE-707	Improper Neutralization The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
CWE-149	Improper Neutralization of Quoting Syntax Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.
CWE-177	Improper Handling of URL Encoding (Hex Encoding) The product does not properly handle when all or part of an input has been URL encoded.
CWE-838	Inappropriate Encoding for Output Context The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.

Références

REF-405

Generic cross-browser cross-domain theft
Chris Evans.
http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html

Soumission

Nom	Organisation	Date	Date de publication
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Nom	Organisation	Date	Commentaire
CAPEC Content Team	The MITRE Corporation	2015-11-09 +00:00	Updated Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2015-12-07 +00:00	Updated Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2020-12-17 +00:00	Updated Mitigations
CAPEC Content Team	The MITRE Corporation	2022-02-22 +00:00	Updated Description, Extended_Description

Détail du CAPEC-468