October 20, 2018
Hot Topics:

An Oldie but Goodie: The Cross-Site Scripting Vulnerability

  • December 31, 2001
  • By Thomas Gutschmidt
  • Send Email »
  • More Articles »

Recently, we received a security alert from David deVitry of Infigon Technologies. David, a security buff and website developer, wanted to inform us of a cross-platform hole that exists on several major websites. Interestingly, the alert isn't a newly found bug or an architectural oversight, rather it is a vulnerability that is well documented by CERT and has been in existence for well over a year and half.

Tom Gutschmidt

The vulnerability itself, CERT Advisory 2000-02, sometimes called cross-site scripting or malicious tagging, takes advantage of dynamically generated Web pages. Basically, a malicious script, which could be written in a number of different languages, can be inserted as input into dynamically generated Web pages. Unless the pages are specifically built to protect against the insertions of these scripts, they allow an attacker to insert code that can poison cookies, expose SSL connections, access restricted sites, or pull off a number of other attacks.

Most commonly exploited avenues are search boxes or online forums. All an attacker has to do is insert malicious code in between scripting tags that the Web page will accept, by using <FORM> or <APPLET> tags, for instance. What makes this vulnerability especially prevalent is the number of different languages and technologies a Web designer needs to understand in order to protect against it. The exploit is possible using CGI, Perl, JavaScript, Java, .ASP, C++, and simple HTML.

Normally, a vulnerability is published, and there is a scramble by software vendors to eliminate it. In this case, despite repeated publishing, it continues to exist on high-traffic sites even a year after discovery.

To protect against this, as a consumer, CERT recommends disabling any sort of browser scripting and turn off JavaScript. For the site designer, the protection is a little more difficult to implement. It means adding code to make sure that dynamic input ignores command switches such as: /,*,<, >, and ?s. In the resources section I've added a link to a CERT section that walks you through sample code for Perl, JavaScript, HTML, and C++, and I have also included some sample .ASP code at the end of this article.

The concern, however, is about the window of exposure to this vulnerability and it's pervasiveness. deVitry reported that he could find scripting holes in almost every site he visited. Normally, a vulnerability is published, and there is a scramble by software vendors to eliminate it. In this case, despite repeated publishing, it continues to exist on high-traffic sites even a year after discovery.

With increased network and Internet traffic, recent new rashes of viruses and malicious code, huge layoffs in IT staffs, cutbacks to security, and the increased complexity of Web- and Internet-based technology, this lack of response could portend a dark future for e-commerce, and for unsuspecting consumers.

References and Resources

Thanks to David deVitry and Infigon Technologies for bringing this to our attention.

ASP Example

Several site scripting vulnerabilities exist because ASP treats all input as trusted. If you use ASP, you need to do text checking with JScript and VBScript. The following scripts are examples taken from Microsoft's IIS 5.0 security checklist.

Script to remove non-normal characters from input (i.e., only allows 0-9 and a-z input):

Set reg = New RegExp 
reg.Pattern = "\W+" ' One or more characters which ' are NOT 0-9a-zA-Z or '_' 
strUnTainted = reg.Replace(strTainted, "")

Script that strips text after the | operator

Set reg = New RegExp 
reg.Pattern = "^(.+)\|(.+)" ' Any character from the start of ' the string to a | character.
strUnTainted = reg.Replace(strTainted, "$1")

Postscript: One reader has written asking if ColdFusion Markup Language (CFML) is also vulnerable to this exploit. It is. Allaire has a security bulletin about cross site scripting located here.

About the Author

Thomas Gutschmidt is a freelance writer, in Bellevue, Wash., who also works for Widevine Technologies.

Comment and Contribute


(Maximum characters: 1200). You have characters left.



Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that developer.com may send you developer offers via email, phone and text message, as well as email offers about other products and services that developer believes may be of interest to you. developer will process your information in accordance with the Quinstreet Privacy Policy.

Thanks for your registration, follow us on our social networks to keep up-to-date