2 cissp ® Official Study Guide Eighth Edition

936
Chapter 21 
■
Malicious Code and Application Attacks
Under normal circumstances, this web application functions as designed. However, a 
malicious individual could take advantage of this web application to trick an unsuspecting 
third party. As you may know, you can embed scripts in web pages by using the Hypertext 
Markup Language (HTML) tags < 
SCRIPT
> and SCRIPT
>. Suppose that, instead of enter-
ing
Mike
in the Name fi eld, you enter the following text:
Mike 
When the web application “refl ects” this input in the form of a web page, your browser 
processes it as it would any other web page: It displays the text portions of the web page 
and executes the script portions. In this case, the script simply opens a pop-up window that 
says “hello” in it. However, you could be more malicious and include a more sophisticated 
script that asks the user to provide a password and transmits it to a malicious third party. 
At this point, you’re probably asking yourself how anyone would fall victim to this type 
of attack. After all, you’re not going to attack yourself by embedding scripts in the input 
that you provide to a web application that performs refl ection. The key to this attack is 
that it’s possible to embed form input in a link. A malicious individual could create a web 
page with a link titled “Check your account at First Bank” and encode form input in the 
link. When the user visits the link, the web page appears to be an authentic First Bank 
website (because it is!) with the proper address in the toolbar and a valid digital certifi cate. 
However, the website would then execute the script included in the input by the malicious 
user, which appears to be part of the valid web page. 
What’s the answer to cross-site scripting? When you create web applications that allow 
any type of user input, you must be sure to perform
input validation
. At the most basic 
level, you should never allow a user to include the

Download 19,3 Mb.

Do'stlaringiz bilan baham: