Check Point Advisories

Security Best Practice: Protect Yourself from Cross-Site Scripting Attacks

Check Point Reference: SBP-2010-18
Date Published: 2 May 2010
Severity: High
Last Updated: Friday 01 January, 2010
Source: IPS Research Center
Protection Provided by:
Who is Vulnerable? Web servers
Vulnerability Description 'Cross-site' refers to the security restrictions that the client browser usually places on data (i.e. cookies, dynamic content attributes, etc.) associated with a web site. By launching a cross site scripting attack, an attacker bypasses these security restrictions, which may result in anything from disclosure of user information to execution of malicious code within the context of the user's browser. 

A cross-site scripting (XSS) attack occurs when a Web-based application fails to validate user input before returning it to the client's browser. This enables attackers to inject malicious content into Web pages to be executed in the context of the user's browser. An attacker can take a variety of malicious actions including cookie theft, account hijacking, spreading of Web-based email worms, etc.
Vulnerability DetailsTo launch a cross-site scripting attack, an attacker could send a specially crafted email message to a victim containing a malicious link scripting (e.g <script>). When the user clicks on this link, the URL is sent to a legitimate site including the malicious code. If the legitimate server sends a page back to the user, the malicious code will be executed within the context of the user's browser.

Protection Overview

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK