CROSS-SITE SCRIPTING SECURITY BUG HITS THE WEB

Andre' Kesteloot akestelo@bellatlantic.net
Fri, 04 Feb 2000 18:28:32 -0500


CROSS-SITE SCRIPTING SECURITY BUG HITS THE WEB
by Dave Murphy, member@itrain.org

A new security threat that puts all web users at significant
risk has been describe in a security alert posted by the
CERT Coordination Center, hosted by Carnegie-Mellon
Software Engineering Institute and the Internet's most
recognized security authority.

CERT described in it's alert how a website may
inadvertently include malicious HTML tags or a script in a
dynamically generated webpage that can be based on
unvalidated input from untrustworthy sources.

This can be a problem when an Internet web server does
not adequately ensure that generated pages are properly
encoded to prevent unintended execution of scripts, and
when input is not validated to prevent malicious HTML
from being presented to the user.

Most web browsers have the capability to interpret scripts
embedded in webpages. Such scripts may be written in a
variety of scripting languages and are run by the client's
browser. Most browsers are installed with the capability to
run scripts enabled by default.

When a victim with scripts enabled in their browser reads
this message, the malicious code may be executed
unexpectedly. Scripting tags that can be embedded in
this way include <SCRIPT>, <OBJECT>, <APPLET>,
and <EMBED>.

In addition to scripting tags, other HTML tags such as the
<FORM> tag have the potential to be abused by an
attacker. For example, by embedding malicious <FORM>
tags at the right place, an intruder can trick users into
revealing sensitive information by modifying the behavior
of an existing form. Other HTML tags can also be abused
to alter the appearance of the page, insert unwanted or
offensive images or sounds, or otherwise interfere with
the intended appearance and behavior of the page.

This vulnerability is unusual because it's not limited to
software from any one particular vendor. All web
browsers on any type of operating system are at risk.

Call for Comments
What do you think? Leave your comments on the
message center: http://itrain.org/msg/