TID-319: Cross Site Scripting (XSS)

Threat Description

The device does not properly restrict, filter, or validate the content of web-based requests or outputs, especially content used to construct HTTP or JavaScript elements within a web page. A threat actor can add malicious JavaScript to an HTTP request, including through a GET/POST parameter or HTTP header fields, which then executes on the browser of an unsuspecting user. The malicious JavaScript can then be used to steal session tokens or send malicious requests (especially leveraging XMLHttpRequest) to change device configurations or data.

Threat Maturity and Evidence

Known Exploitable Weakness
ATT&CK Technique: Drive-by Compromise (T1189)
“Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including: A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.”

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (Base)
“The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.”

CVE

NetComm Wireless 4G LTE Light Industrial M2M Router - CVE-2018-14784
“The device is vulnerable to several cross-site scripting attacks, allowing a remote attacker to run arbitrary code on the device.”

Siemens SIMATIC S7-1500 CPU Firmware Vulnerabilities, CISA
“The integrated web server may … be vulnerable to cross-site request forgery (CSRF), cross-site scripting (XSS), header injection, and open redirect attacks as well as privilege escalation.”