Home | What's New | FAQ | Site Contents | Contact Us | SEARCH |
About Us | Alerts | Education and Training | Events | FTP Archives | Improving Security | Other Resources | Reports | Survivability Research |
|
CERT® Coordination CenterFrequently Asked Questions About Malicious Web Scripts Redirected by Web Sites
Original release date: February 2, 2000 A problem has recently been identified that can be found on a wide variety of web sites: what you receive from a web site may not be what that site meant to send. If you click on a specially designed link, the site may unknowingly send you bad data, unwanted pictures, and programs (malicious scripts) to compromise your data. The problem is not with web browsers themselves but with how web pages are constructed and how data entering and leaving web sites is validated. "Validate" means ensuring no "unintended" characters are sent back to the client. This document includes: I. Frequently Asked QuestionsHow do malicious web scripts get to my web browser?A malicious web developer may attach a script to something you send to a web site, such as a URL, an element in a form, or a database inquiry. When the web site responds to you, the malicious script comes along, so that it is now on your browser. Among the ways you can potentially expose your web browser to malicious scripts are these:
You might link to what you consider a safe site, complete a form on a site that is not trustworthy, or search a database there. What might happen if my web browser is exposed to a malicious script?Among the possibilities are capturing your password and other information you believe is protected. You should also be concerned because malicious scripts can be used to expose restricted parts of your organization's local network (such as their intranet) to attackers who are on the Internet. Attackers may also be able to use malicious scripts to infect cookies with copies of themselves. If the infected cookie is sent back to a vulnerable web site and passed back to your browser, the malicious script may start running again. Note: This is not a vulnerability in web cookies; rather, a malicious script takes advantage of the functionality of cookies. How can I avoid the problem?The most significant impact of this vulnerability can be avoided by disabling all scripting languages. Follow the steps below to turn off options in your web browser that allow malicious scripts to run. If you're not using a current version of Netscape or Internet Explorer, (version 4 and 5, respectively), you might need to modify the steps. Note that even with scripting disabled, attackers may still be able to influence the appearance of content provided by a legitimate site by embedding other HTML tags. In particular, malicious use of the <FORM> tag is not prevented by disabling scripting languages. How will turning off the options affect my use of the web?Turning off the options will keep you from being vulnerable to
malicious scripts. However, it will limit the interaction you can have
with some web sites. You may notice a difference in functionality when
you visit legitimate sites that use scripts running within the browser
to add useful features.
The risk associated with Java applets is significantly different from some of the other technologies. Java has a robust security mechanism designed to deal with situations like these that prevents sensitive information from being disclosed or client information from being damaged. However, Java applets written by an attacker can still be loaded while your are viewing a legitimate web page. The problems that can arise are similar to those involving the <FORM> and other HTML tags. For example, an attacker could develop a "Trojan Horse" program that presented misleading information and prompted you for a password. If you failed to recognize the malicious applet for what it was, you could accidentally disclose sensitive information. You must make your own determination about disabling Java applets, based on your tolerance for these risks. If you choose to disable Java, please see the detailed instructions below. Isn't there a better way to fix the problem?The CERT/CC is working with technology vendors and other security experts on a long-term, comprehensive solution to the problem of malicious scripts running on browsers. Is there any more information available about this problem?The CERT/CC has published an advisory containing more details about the problem, its impact, and ways to deal with it. CA-2000-02 is available from You can also find information at the vendor URLs listed in the advisory. The CERT/CC has also published a "tech tip" for web page developers and web site administrators, which you might want to pass along to the appropriate people in your organization. This document, "Malicious Content Mitigation for Web Developers," is available from II. Steps for Changing Your Options in Web Browsers - Netscape and Internet ExplorerUsing Netscape 3.0 or higherNote: If you are not using Netscape version 3.0 or higher, these instructions may not be correct. To determine your software version, from the Help menu, select About Communicator... . A web page appears with information about your browser including the version number.
Using Internet Explorer 5Note: If you are not using Internet Explorer version 5, these instructions may not work correctly. To determine your software version, from the Help menu, select About Internet Explorer... . A dialog box appears with information about your browser including the version number.
This document is available from: http://www.cert.org/tech_tips/malicious_code_FAQ.html CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address:
Using encryptionWe strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from If you prefer to use DES, please call the CERT hotline for more information.
Getting security informationCERT publications and other security information are available from our web siteTo be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message.
Copyright 1999 Carnegie Mellon University. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
|