CAPEC-104

Standard Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Draft MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: Medium Severity: High
Cross Zone Scripting

Description

An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.

Prerequisites

The target must be using a zone-aware browser.

Mitigations

Disable script execution.

Ensure that sufficient input validation is performed for any potentially untrusted data before it is used in any privileged context or zone

Limit the flow of untrusted data into the privileged areas of the system that run in the higher trust zone

Limit the sites that are being added to the local machine zone and restrict the privileges of the code running in that zone to the bare minimum

Ensure proper HTML output encoding before writing user supplied data to the page

Skills Required

[Medium] Ability to craft malicious scripts or find them elsewhere and ability to identify functionality that is running web controls in the local zone and to find an injection vector into that functionality