Internet security tests, conducted by NTA Monitor during 2005, showed that many web servers and web-based applications were vulnerable to cross site scripting attacks. Now a concerning new cross site scripting method is beginning to appear that could allow attackers to monitor visitors' searches, usernames and passwords without their knowledge.
Cross site scripting enables an attacker to execute malicious code on a user's machine via the browser. The flaw arises when information submitted by users is not properly stripped of HTML tags, enabling an attacker to embed malicious code on a website. When accessed, it will execute code in a user's browser. A user may be redirected to a fake website or have their login or user information compromised. In the worst cases, users' computers can be compromised.
Roy Hills, Technical Director at NTA Monitor, explains the emerging trend: "Attackers are creating websites in which they embed malicious code to track a visitor's searches, usernames and passwords. The code can affect a visitor's PC without their knowledge and can quickly spread to other visitors' machines. Interactive social websites, blogs and forums could be affected, as visitors may not necessarily be aware of the legitimacy of the companies or individuals that own the websites that they visit. If the code is embedded in a homepage, it would mean that every visitor landing on the homepage would be affected."
With the popularity of social networking sites such as MySpace and YouTube soaring, consumers and organisations are being warned by NTA of this emerging threat. It is possible that employees could put corporate network security at risk by visiting these types of websites whilst at work.
It can be difficult to identify the malicious code, as browsers do not currently identify malware and the best way to safeguard against it is to undertake regular security testing. However, there are some precautions that can be taken in order to minimise the threat to organisations and individuals:
Related links: (Open in a new window.)
www.nta-monitor.com
Taken from Information Security Bulletin.