Most modern Web applications are dynamic in nature, allowing users to
customize an application website through preference settings. Dynamic
web content is then generated by a server that relies on user settings.
These settings often consist of personal data that needs to be secure.
Unfortunately, dynamic websites are most vulnerable to XSS attacks on
secure data.
Web pages that pass data to and from a database are especially vulnerable to XSS attacks. This includes pages with login ids and passwords, shopping carts that access credit card data, personal information forms, etc. Retail, health care, government and financial Web applications are especially at risk.
Malicious HTML, JavaScript, VBScript, Flash or ActiveX scripting code can be used for XSS. Once inserted into an unsecured dynamic website, the embedded script is able to gather private data, create user requests to the Web application, steal user cookies or launch a virus on the user’s computer. The script could also cause the user to redistribute malicious content across the internet.
Once a hacker is armed with sufficient knowledge to write malicious code in a dynamic language such as JavaScript or HTML, the code can be easily tested through a browser on a dynamic website
According to CERT Coordination Center, a federally funded research and development center, the lack of control over user inputs puts dynamic websites at risk. Unless proactive steps are taken to guard against malicious input, a Web application cannot guarantee the security of its output.
Web pages that pass data to and from a database are especially vulnerable to XSS attacks. This includes pages with login ids and passwords, shopping carts that access credit card data, personal information forms, etc. Retail, health care, government and financial Web applications are especially at risk.
Malicious HTML, JavaScript, VBScript, Flash or ActiveX scripting code can be used for XSS. Once inserted into an unsecured dynamic website, the embedded script is able to gather private data, create user requests to the Web application, steal user cookies or launch a virus on the user’s computer. The script could also cause the user to redistribute malicious content across the internet.
Once a hacker is armed with sufficient knowledge to write malicious code in a dynamic language such as JavaScript or HTML, the code can be easily tested through a browser on a dynamic website
According to CERT Coordination Center, a federally funded research and development center, the lack of control over user inputs puts dynamic websites at risk. Unless proactive steps are taken to guard against malicious input, a Web application cannot guarantee the security of its output.
No comments:
Post a Comment