RealTime IT News

CERT Issues Advisory about Malicious HTML Tags

CERT this week issued an advisory about malicious HTML tags that can be embedded in client Web requests.

The concern is that a Web site may inadvertently include malicious HTML tags or script code in a page that is dynamically generated, based on input from untrustworthy sources that has not been validated. Typically, this can be a problem when a Web server does not ensure that the generated pages are properly encoded as to prevent scripts from erroneously being executed, or when input is not validated, allowing malicious HTML code to be presented to the user.

The problems starts with the end-user's Web browser--most Web browsers have the capability to interpret scripts that are embedded in Web pages. These scripts may be written in a variety of scripting languages, and are executed by the client's browser. Most browsers are by default installed with the capability to run scripts.

Here's how it would work: a Web site that features a Web-based discussion group could enable a client to embed malicious HTML tags within a message that is intended for another client to view in their browser. The attacker might post a message such as the following:

Hello message board. This is a message.
<SCRIPT>malicious code</SCRIPT>
This is the end of my message.
When another user with scripts enabled in their browser (and most are) reads the message above, the malicious code may be executed unexpectedly by their browser. Scripting tags that can be utilized in this fashion can include SCRIPT, OBJECT, APPLET, and EMBED.

Additionally, other HTML tags such as the FORM tag have the potential to be abused in a similar manner. An attacker can fool users into revealing sensitive information by modifying the behavior of a form; other HTML tags can also be used to change the appearance of a page, insert unwanted or offensive images or sounds, or otherwise interfere with the page. Potential problems with malicious code include:

  • SSL-Encrypted Connections May Be Exposed
  • Attacks May Be Persistent Through Poisoned Cookies
  • Attacker May Access Restricted Web Sites from the Client
  • Domain Based Security Policies May Be Violated
  • Use of Less-Common Character Sets May Present Additional Risk
  • Attacker May Alter the Behavior of Forms
CERT's solution for end-users is a scary one for those running commercial sites--disable all scripting languages in their browser.

"Exploiting this vulnerability to execute code requires that some form of embedded scripting language be enabled in the victim's browser. The most significant impact of this vulnerability can be avoided by disabling all scripting languages," the advisory said.