Malicious Html Tags
A CERT Advisory says that all Web browsers, and all Web servers dynamically generating pages based on unvalidated input, can be affected by malicious HTML code, or abused by those posting it.
Tags that can be used for these purposes include: SCRIPT, OBJECT, APPLET, FORM, and EMBED.
You can find the advisory here
. It suggests wariness when browsing untrusted links, and also that Web developers work to recode their dynamic sites to validate output - ensuring that undesirable tags (for example, posted to message boards) are blocked.
Security information for servers from the following vendors will be posted at the URLs linked below:
Is anyone aware of how safe existing popular applications (major message boards, etc) are? Personally, it seems to me that this is a problem that many have been aware of for a long time, but maybe attackers are using new methods? The advisory mentions a number of different situations:
- Malicious code provided by one client for another client
- Malicious code sent inadvertently by a client for itself
- Abuse of Other Tags
- Abuse of Trust
- SSL-Encrypted Connections May Be Exposed
- Attacks May Be Persistent Through Poisoned Cookies
- Attacker May Access Restricted Web Sites from the Client
- Domain Based Security Policies May Be Violated
- Use of Less-Common Character Sets May Present Additional Risk
- Attacker May Alter the Behavior of Forms
How do you ensure that your dynamic sites are safe from malicious code?