Dealing with Insecurity

6 February 2000
Internet experts recently detected a Web security hole that works across virtually all Web servers and browsers. Dubbed "cross-site scripting", the glaring hole has brought together the federally funded Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University, as well as numerous Web server and browser vendors, in an effort to quickly disperse information and solve the problem.

Experts say that cross-site scripting (CSS) permits malicious script commands or executable code to be inserted by one user into another user's session. Even worse, if incorporated into a cookie, the malicious code could follow a user throughout the Web and possibly access cached pages on computers protected behind firewalls.

The hole also allows the attacker to change what other users see on a Web page, and may even sniff out credit card numbers as they're being processed through Secure Sockets Layers.

To avoid privacy invasions, experts recommend that Web users not follow links posted on sites, message boards and chat rooms. Instead, users should type in each web address, which would provide a small amount of security. More importantly, webmasters need to check their code to verify proper security measures have been taken.

More information about this topic is available at the CERT website at:
www.cert.org/advisories/CA-2000-02.html.

Security tips can be directly accessed from CERT at:
http://www.cert.org/tech_tips/malicious_code_FAQ.html.

Plus, CERT has assembled a list of vendors offering assistance in tackling CSS:

  • Apache
    http://www.apache.org/info/css-security

  • iPlanet - A Sun-Netscape Alliance
    http://developer.iplanet.com/docs/technote/security/cert_ca2000_02.html

  • Microsoft
    www.microsoft.com/security/.

  • Sun Microsystems, Inc.
    http://sun.com/software/jwebserver/faq/jwsca-2000-02.html