2001 Tech Tip: Cross-Site Scripting Vulnerabilities
• White Paper
Publisher
Software Engineering Institute
Topic or Tag
Abstract
Have you ever mistyped the address of a website and received a message like "Error - page name could not be found" or "The page you requested: page name does not exist"? Certainly you have, and odds are you never gave it a second thought; you simply corrected the address or went to a different site altogether. It happens all the time. There are plenty of dead links or links with typos to stumble upon. However, when you encounter an error message like the two listed above, you are actually witnessing a potential security breach—not necessarily against the site, but rather against you directly.
Suppose you entered the following valid URL:
http://www.example.com/FILENAME.html
If the document "FILENAME.html" did not exist, the website could return an error message such as
<HTML>
404 page does not exist: FILENAME.html
....
</HTML>
Notice that "FILENAME.html" is a string that you entered. The web site has included it in the page returned straight through to your browser.
This may seem harmless, but now imagine that you are browsing through auctions on a popular site; let’s call it auctions.example.com. You come across several auctions that someone has posted and would like to see more items that the same person has for sale; let’s assume this person is a “bad guy” (though you don’t know it) and call him BG12345. You click on BG12345’s website and see a listing of his auctions. You click on a link on his page that interests you and are taken to auction.example.com’s site displaying that item. You scroll down to place a bid, and the auction site prompts you for your name and password to sign in. You enter all the information and hit the submit button. Everything looks fine, but in reality, the information that you submit is getting sent back to BG12345. How can this be? The answer is that auction.example.com has what is known as a cross-site scripting (CSS) vulnerability.