Cross-site scripting: Use a custom tag library to encode dynamic content

    Date24 Sep 2002
    CategoryHacks/Cracks
    3053
    Posted ByAnthony Pell
    Blair pointed us to an article on XSS. "Cross-site scripting is a potentially dangerous security exposure that should be considered when designing a secure Web-based application. Users can unknowingly execute malicious scripts when viewing dynamically generated pages based on content provided by an attacker. An attacker can take over the user session before the user's session cookie expires. An attacker can connect users to a malicious server of the attacker's choice. This article describes the nature of the exposure, how it works, and has an overview of some recommended remediation strategies.". . . Blair pointed us to an article on XSS. "Cross-site scripting is a potentially dangerous security exposure that should be considered when designing a secure Web-based application. Users can unknowingly execute malicious scripts when viewing dynamically generated pages based on content provided by an attacker. An attacker can take over the user session before the user's session cookie expires. An attacker can connect users to a malicious server of the attacker's choice. This article describes the nature of the exposure, how it works, and has an overview of some recommended remediation strategies."

    Most Web sites today add dynamic content to a Web page making the experience for the user more enjoyable. Dynamic content is content generated by some server process, which when delivered can behave and display differently to the user depending upon their settings and needs. Dynamic Web sites have a threat that static Web sites don't, called "cross-site scripting," also known as "XSS."

    "A Web page contains both text and HTML markup that is generated by the server and interpreted by the client browser. Web sites that generate only static pages are able to have full control over how the browser user interprets these pages. Web sites that generate dynamic pages do not have complete control over how their outputs are interpreted by the client. The heart of the issue is that if untrusted content can be introduced into a dynamic page, neither the Web sites nor the client has enough information to recognize that this has happened and take protective actions," according to CERT Coordination Center, a federally funded research and development center to study Internet security vulnerabilities and provide incident response.

    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"13","type":"x","order":"1","pct":52,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":16,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"8","type":"x","order":"3","pct":32,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.