CAPEC-106 - Cross Site Scripting through Log Files

An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Injection
  • Purposes 1
  • Exploitation
  • Sec Principles 2
  • Reluctance to Trust
  • Defense in Depth
  • Scopes 4
  • Read files or directories
  • Read application data
  • Confidentiality
  • Gain privileges / assume identity
  • Access_Control
  • Authorization
  • Confidentiality
  • Execute unauthorized code or commands
  • Availability
  • Integrity
  • Confidentiality
  • Modify application data
  • Modify files or directories
  • Modify memory
  • Integrity

Low level: Requires to ability to write a simple script and try to inject it through various user controlled fields in the system.

The system uses a web based interface

The system does not cleanse / validate user supplied data before writing it to logs

Information from logs is displayed in a web based interface

The web based log interface does not HTML output encode the log data prior to displaying it in the administrator console.

No specialized hardware is required

Locate system screens for operations that are likely to be logged and use these as starting points for injection

Step 1 - Probe for log injection vulnerability

The attacker probes all user-controllable data inputs to the system to probe for log injection vulnerabilities. This may be difficult (unless the attacker has a white box view of the system) because there may not be a feedback event to indicate to the attacker that certain information is being logged..

Step 2 - Probe for cross-site scripting vulnerability

The attacker probes all user-controllable data inputs to the system to probe for any cross-site scripting vulnerabilities. Cross-site scripting vulnerabilities identified anywhere in the application indicate an increased potential that such vulnerabilities may exist in the log management portions of the application..


Step 1 - Confirm exploitability

Create a simple script and inject it into one of the potentially vulnerable fields. This script should take some action which will give an attacker an indication that the attack vector exists..

Tecnique ID: 1 - Environment(s) env-Web

The idea is to receive some sort of a feedback event that confirms that an attack is succeeding. That is done with a simple script prior to crafting possibly a more complex script to launch an actual attack.

Outcome ID: 1

Type: Success

Expected script execution feedback event is observed.



Step 1 - Inject System Logs with Malicious Scripts

Create a malicious script to run in the administrator's web based interface and inject it in the system's logs through one of the user controlled fields that are being logged..

Tecnique ID: 1 - Environment(s) env-Web

Inject the vulnerable fields by tampering with their values to contain the malicious scripts. Possibly trigger another event that makes it more likely that injected logs are viewed in the vulnerable UI as soon as possible.


HTML output encode all data prior to writing to an HTML page

Properly validate and cleanse/reject user supplied data before writing it to log files

Cleanse all user supplied data before placing it in the logs. Reject all bad data. Ensure that the data is in the expected form.

Use proper HTML output encoding techniques to strip the log data of potentially dangerous scripting characters before displaying it in the administrative console

If possible, disable script execution in the administrative interface.