CERT Issues Advisory about Malicious HTML Tags | Internet News
Developer
SHARE
Facebook X Pinterest WhatsApp

CERT Issues Advisory about Malicious HTML Tags

Written By
Scott Clark
Scott Clark
Feb 4, 2000
2 minute read

CERT this week issued an advisory about
malicious HTML tags that can be embedded in client Web requests.

The
concern is that a Web site may inadvertently include malicious HTML tags or
script code in a page that is dynamically generated, based on input from
untrustworthy sources that has not been validated. Typically, this can be a
problem when a Web server does not ensure that the generated pages are
properly encoded as to prevent scripts from erroneously being executed, or
when input is not validated, allowing malicious HTML code to be presented
to the user.


The problems starts with the end-user’s Web browser–most Web browsers have
the capability to interpret scripts that are embedded in Web pages. These
scripts may be written in a variety of scripting languages, and are
executed by the client’s browser. Most browsers are by default installed
with the capability to run scripts.


Here’s how it would work: a Web site that features a Web-based discussion
group could enable a client to embed malicious HTML tags within a message
that is intended for another client to view in their browser. The attacker
might post a message such as the following:

Hello message board. This is a message.
<SCRIPT>malicious code</SCRIPT>
This is the end of my message.

When another user with scripts enabled in their browser (and most are)


reads the message above, the malicious code may be executed unexpectedly by


their browser. Scripting tags that can be utilized in this fashion can


include SCRIPT, OBJECT, APPLET, and EMBED.



Additionally, other HTML tags such as the FORM tag have the potential to be
abused in a similar manner. An attacker can fool users into revealing
sensitive information by modifying the behavior of a form; other HTML tags
can also be used to change the appearance of a page, insert unwanted or
offensive images or sounds, or otherwise interfere with the page. Potential
problems with malicious code include:


  • SSL-Encrypted Connections May Be Exposed
  • Attacks May Be Persistent Through Poisoned Cookies
  • Attacker May Access Restricted Web Sites from the Client
  • Domain Based Security Policies May Be Violated
  • Use of Less-Common Character Sets May Present Additional Risk
  • Attacker May Alter the Behavior of Forms

CERT

s solution for end-users is a scary one for those running commercial


sites

disable all scripting languages in their browser.

“Exploiting this
vulnerability to execute code requires that some form of embedded scripting
language be enabled in the victim’s browser. The most significant impact of
this vulnerability can be avoided by disabling all scripting languages,” the advisory said.
Scott Clark
Internet News Logo

InternetNews is a source of industry news and intelligence for IT professionals from all branches of the technology world. InternetNews focuses on helping professionals grow their knowledge base and authority in their field with the top news and trends in Software, IT Management, Networking & Communications, and Small Business.

facebook
x

Company

Contact us Advertise with us

Categories

News Enterprise Small Business Reviews Podcasts Blog Research

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information