- Cross-Site Scripting vulnerabilities: what they are and how to prevent them -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com
Madrid, March 8 2002 - The Computer Emergency Response Team Coordination
Center -CERT/CC-) has published an interesting article(*) explaining
Cross-Site Scripting vulnerabilities, and offering practical advice on how
to deal with them.
Cross-Site Scripting (CSS) vulnerabilities center on the possibility for an
attacker to make a legitimate web server send a page with harmful code in
response to a request. So for example, when a user clicks on a link that
points at a bank's web page, they could receive a false web page prepared by
the attacker to resend any information entered (passwords, credit card
details etc.). In this way, the user might enter any amount of confidential
data, completely unaware that they are in fact sending this information to
One of the most frequently used techniques consists of constructing links
with script 'injected'. Along the lines of the example above, when the user
clicks on the link, they would in fact be sending the injected code to their
bank along with the request.
One of the preventive measures that can be taken is to always go directly to
sites in which you may enter sensitive information, not via links from
potentially untrustworthy sites or from HTML e-mails.
Webmasters can also contribute by ensuring that none of their web pages
reply to requests that have not been validated. More sophisticated measures
include the use of "signed scripting", which would prevent any code that was
not digitally signed from being executed.
(*) The CERT/CC article is available at:
NOTE: The address above may not show up on your screen as one line. This
would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the