Recent Internet security test results reveal that web servers and web-based applications are vulnerable to cross site scripting attacks. Tests were conducted on a variety of companies and public sector organisations across the UK, Europe and Scandinavia between 1 January and 31 December 2005.
Cross site scripting enables an attacker to execute malicious code on a user’s machine via the browser. The flaw arises when information submitted by users is not properly stripped of HTML tags, enabling an attacker to embed malicious code on a website. When clicked on, it will execute code in a user’s browser. A user may be redirected to a fake website or have their login or user information compromised. In the worst cases, users’ computers can be compromised.
Of the risks discovered, 37% were classified as high or medium level risks, which means that the risks are widely known and actively exploited by attackers, permitting unauthorised external users to obtain system access. The majority (63%) were of a low or informational criticality level, indicating that information could be leaked to an attacker that could subsequently be used to penetrate web server security.
Roy Hills, Technical Director at NTA Monitor, says: “As the number, size and complexity of web applications increases, so does a company’s risk exposure. Attackers have begun to focus on web application security problems, and are actively developing tools and techniques for exploiting them. By hacking corporate websites, it is possible to get hold of an array of information, not just about customers, but confidential corporate details.’
‘Web applications are accessible 24 hours a day, 7 days a week and control sensitive data such as customer details, credit card numbers and proprietary corporate data. In order to conduct business online, an organisation or local government authority typically encourages customers into the organisation through the use of a browser running a web-based application. If these systems fail, it will result in a loss of customer trust and confidence, which can undermine all previous investments in e-commerce.”