Information Security Bulletin

New CSS Method Emerges

22 Aug 04:42

Internet security tests, conducted by NTA Monitor during 2005, showed that many web servers and web-based applications were vulnerable to cross site scripting attacks. Now a concerning new cross site scripting method is beginning to appear that could allow attackers to monitor visitors' searches, usernames and passwords without their knowledge.

Cross site scripting enables an attacker to execute malicious code on a user's machine via the browser. The flaw arises when information submitted by users is not properly stripped of HTML tags, enabling an attacker to embed malicious code on a website. When accessed, it will execute code in a user's browser. A user may be redirected to a fake website or have their login or user information compromised. In the worst cases, users' computers can be compromised.

Roy Hills, Technical Director at NTA Monitor, explains the emerging trend: "Attackers are creating websites in which they embed malicious code to track a visitor's searches, usernames and passwords. The code can affect a visitor's PC without their knowledge and can quickly spread to other visitors' machines. Interactive social websites, blogs and forums could be affected, as visitors may not necessarily be aware of the legitimacy of the companies or individuals that own the websites that they visit. If the code is embedded in a homepage, it would mean that every visitor landing on the homepage would be affected."

With the popularity of social networking sites such as MySpace and YouTube soaring, consumers and organisations are being warned by NTA of this emerging threat. It is possible that employees could put corporate network security at risk by visiting these types of websites whilst at work.

It can be difficult to identify the malicious code, as browsers do not currently identify malware and the best way to safeguard against it is to undertake regular security testing. However, there are some precautions that can be taken in order to minimise the threat to organisations and individuals:

Ensure that employees install, run and update anti-spyware and malware programs such as AdAware
Undertake regularly penetration testing
Publish an IT policy - employees should not visit non work related websites during the working day
Restrict users' access to social networking sites in line with IT policies

Related links: (Open in a new window.)
www.nta-monitor.com

View printable version (opens in new window)
Back

Search ISB News:

Not yet sure you want to subscribe? Download a free sample copy!

Download the much quoted October Editorial

Portal Frontpage
Web Editorial
About This Portal
Contact Info

IS Alerts
General News
Product News
Vendor News
People News
Literature
Events
CHI News

Subscribe Online
About ISB
Publishing in ISB
Advertising in ISB
PR Information

In the current issue:

Security Management
The Importance of Adaptability
Steve Purser

From the Trenches
Reversing Perimeter Defences – a Case Study
Søren Maigaard

Security Architectures
The Self Defending Network: New Trends In ICT Security Infrastructures
Drs. Ing. René Pluis

Subscribe Online!