Bugtraq mailing list archives
recent 'cross site scripting' CERT advisory
From: tim () RSTCORP COM (Tim Hollebeek)
Date: Fri, 4 Feb 2000 12:58:45 -0500
Wednesday's CERT advisory CA-2000-02 "Malicious HTML Tags Embedded in Client Web Requests" has received some attention in the mass media. This is very appropriate due to the importance of the reported problem. However, many media reports have contained a number of innacuracies about the nature, scope, and impact of the problem. This post is intended to clear up a number of misconceptions about what the problem is and what the impact is. For the full details, including an enumeration of a number of possible attack scenarios, the CERT advisory should be read in its entirety. Misconception #1: This is a single bug or problem The CERT advisory warns of an entire class of attacks. Every web site that offers more than simple unchanging HTML pages is potentially at risk. This means every e-commerce site, every auction site, every web based mail site, etc. Any software that can understand and interpret URLs and HTML, and communicates with the outside world is also potentially at risk. Misconception #2: This problem is "new" Security experts and hackers have been aware of the ability to exploit these problems for a long time, but creators of web sites and web-enabled software have for the most part not paid adequate attention to these problems. CERT's motivation appears to be to raise awareness of these significant dangers in the hopes that future and existing systems will be (re-)engineered with these problems in mind. Misconception #3: This problem has never been exploited by hackers. Many of the problems with Microsoft's hotmail have been due to attacks which fall within the range of this security advisor, as does the eBayla attack on eBay. Misconception #4: The potential damage from these attacks is minimal. While scripting languages have very limited ability to take actions that can lead to security compromises in the traditional sense, they allow for a wide range of new attacks that can be equally devastating to a host system or company. Most attacks involving scripts lead to the loss or alteration of protected, valuable or sensitive information like credit card numbers, customer information, passwords, or even the contents of entire pages on private intranets. If this information can be easily accessed or manipulated there often no longer is any need to break into or gain administrative access to the machine. The critical function of the server, which is its ability to protect and process sensitive or valuable information, has already been compromised. Tim Hollebeek Reliable Software Technologies
Current thread:
- Re: Bypass Virus Checking, (continued)
- Re: Bypass Virus Checking salme () US IBM COM (Feb 01)
- Fwd: CERT Advisory CA-2000-02 Shockro () AOL COM (Feb 02)
- Re: Fwd: CERT Advisory CA-2000-02 fury (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Ari Gordon-Schlosberg (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Marc Slemko (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Henrik Nordstrom (Feb 05)
- Re: Fwd: CERT Advisory CA-2000-02 Byron Alley (Feb 07)
- Re: Fwd: CERT Advisory CA-2000-02 Len Budney (Feb 08)
- Novell GroupWise 5.5 Enhancement Pack Web Access Denial of Servic e Adam Gray (Feb 07)
- Fwd: CERT Advisory CA-2000-02 Shockro () AOL COM (Feb 02)
- Re: Bypass Virus Checking salme () US IBM COM (Feb 01)
- Re: Fwd: CERT Advisory CA-2000-02 Henri Torgemane (Feb 03)
- recent 'cross site scripting' CERT advisory Tim Hollebeek (Feb 04)
- Re: recent 'cross site scripting' CERT advisory Marc Slemko (Feb 05)
- Re: recent 'cross site scripting' CERT advisory Manuel Martin (Feb 08)
- Novell BorderManager 3.5 Remote Slow Death Chicken Man (Feb 08)
- Re: Novell BorderManager 3.5 Remote Slow Death Ron van Daal (Feb 09)
- Re: Novell BorderManager 3.5 Remote Slow Death Puchatek (Feb 11)
- Re: recent 'cross site scripting' CERT advisory Bill Thompson (Feb 06)
- Re: recent 'cross site scripting' CERT advisory Ari Gordon-Schlosberg (Feb 07)
- Re: recent 'cross site scripting' CERT advisory Taneli Huuskonen (Feb 07)
- Re: recent 'cross site scripting' CERT advisory Peter W (Feb 08)
- Re: recent 'cross site scripting' CERT advisory Mikael Olsson (Feb 08)