CERT Issues Advisory about Malicious HTML Tags

CERT this week issued an advisory about
malicious HTML tags that can be embedded in client Web requests.

The
concern is that a Web site may inadvertently include malicious HTML tags or
script code in a page that is dynamically generated, based on input from
untrustworthy sources that has not been validated. Typically, this can be a
problem when a Web server does not ensure that the generated pages are
properly encoded as to prevent scripts from erroneously being executed, or
when input is not validated, allowing malicious HTML code to be presented
to the user.


The problems starts with the end-user’s Web browser–most Web browsers have
the capability to interpret scripts that are embedded in Web pages. These
scripts may be written in a variety of scripting languages, and are
executed by the client’s browser. Most browsers are by default installed
with the capability to run scripts.


Here’s how it would work: a Web site that features a Web-based discussion
group could enable a client to embed malicious HTML tags within a message
that is intended for another client to view in their browser. The attacker
might post a message such as the following:


Hello message board. This is a message.
<SCRIPT>malicious code</SCRIPT>
This is the end of my message.

When another user with scripts enabled in their browser (and most are)
reads the message above, the malicious code may be executed unexpectedly by
their browser. Scripting tags that can be utilized in this fashion can
include SCRIPT, OBJECT, APPLET, and EMBED.


Additionally, other HTML tags such as the FORM tag have the potential to be
abused in a similar manner. An attacker can fool users into revealing
sensitive information by modifying the behavior of a form; other HTML tags
can also be used to change the appearance of a page, insert unwanted or
offensive images or sounds, or otherwise interfere with the page. Potential
problems with malicious code include:


  • SSL-Encrypted Connections May Be Exposed
  • Attacks May Be Persistent Through Poisoned Cookies
  • Attacker May Access Restricted Web Sites from the Client
  • Domain Based Security Policies May Be Violated
  • Use of Less-Common Character Sets May Present Additional Risk
  • Attacker May Alter the Behavior of Forms

CERT’s solution for end-users is a scary one for those running commercial
sites–disable all scripting languages in their browser.

“Exploiting this
vulnerability to execute code requires that some form of embedded scripting
language be enabled in the victim’s browser. The most significant impact of
this vulnerability can be avoided by disabling all scripting languages,” the advisory said.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web