With this lesson we reach the half-way point of our 10-part series: Computer Security 101. The series provides a simple overview of the technology, terminology and acronyms used everyday regarding computer systems and the Internet. The goal of the series is that by having an understanding of what the technology is called and what it does you will be able to understand when there is a threat that affects you and take the appropriate steps to secure your computer system.
About 10 “people years” (or about 60 years ago in “web years” according to the FAQ on Tim Berners-Lee’s web site
) ago the World Wide Web was text-based. In 1989 Tim Berners-Lee began creating a global hypertext project. By the summer of 1991 the World Wide Web was born and released to the Internet at large.
The Hypertext Markup Language (HTML) used to create the web pages continued to be refined. By late 1992 Marc Andreessen and the NCSA team created X-Mosaic. Mosaic introduced the “img” tag which allowed graphics to be inserted into the web pages as well. This brought on the explosive growth and popularity of the World Wide Web, however the pages were still static- meaning they only showed whatever they were programmed to show in the first place.
In order to provide more functionality- whether for business or entertainment- companies needed to find a way to make the pages dynamic. They wanted to be able to present new information or update the information on the screen automatically. Active scripting was created to fulfill this need.
The concept and functionality of scripting languages has grown since these two initial scripting languages were introduced. Always the goal has been to find more and better ways to dynamically update the web page with information that is new or unique to the user. To do this the scripting languages had to be able to pull information from the client computer or sometimes from databases housed on the server. The scripts are small programs that execute within the HTML code.
It is an unfortunate fact that many of the features developed to make computing easier, more functional or more entertaining can be turned around and exploited for malicious purposes. Some sites that you visit may actually require active scripting to function properly. When using a web browser like Internet Explorer you can change the settings so that by default active scripting is not allowed. You can then add sites that require active scripting and that you feel are safe to your Trusted Sites security zone (See How To Configure Internet Explorer Security).
Another facet of dynamic content creating security issues is through cross site scripting (XSS). Sites that allow users to input data and don’t properly check for malicious script tags may be vulnerable to XSS attacks. Using XSS an attacker could get the server to redirect your connection to another web site entirely which could contain other malicious active scripting programs.
Typically the XSS attack is instigated by getting the targeted user to click on a link which contains malicious code. If the web site does not validate the script code or check it for malicious content the script will be executed and the attacker could cause all sorts of problems including stealing passwords or executing other programs on the target machine.
Cross site scripting vulnerabilities are not associated with any particular browser or web server. It doesn’t matter if the web site is hosted on Microsoft Internet Information Server (IIS) or Apache. It doesn’t matter whether you browse with Internet Explorer, Netscape or Opera. The problems that create XSS vulnerabilities lie in the way dynamic pages are generated and not having the proper checks and balances in place to validate the code before sending the output to the user.
Computer Security 101: Lesson 5