Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

White Paper

Cross-Site Scripting Vulnerabilities

  • January 2001
  • By Jason Rafail
  • In this paper, Jason Rafail discusses cross-site scripting vulnerabilities.
  • Vulnerability Analysis
  • Publisher: Software Engineering Institute
  • Abstract

    Have you ever mistyped the address of a web site and received a message like "Error - page name could not be found" or "The page you requested: page name does not exist"? Certainly you have, and odds are you never gave it a second thought; you simply corrected the address or went to a different site altogether. It happens all the time. There are plenty of dead links, or links with typos to stumble upon. However, when you encounter an error message like the two listed above, you are actually witnessing a potential security breach—not necessarily against the site, but rather against you directly. 

    Suppose you entered the following valid URL:

    http://www.example.com/FILENAME.html

    If the document "FILENAME.html" did not exist, the web site could return an error message such as

    <HTML>
    404 page does not exist: FILENAME.html
    ....
    </HTML>

    Notice that "FILENAME.html" is a string that you entered. The web site has included it in the page returned straight through to your browser.

    This may seem harmless, but now imagine that you are browsing through auctions on a popular site; let’s call it auctions.example.com. You come across several auctions that someone has posted and would like to see more items that the same person has for sale; let’s assume this person is a “bad guy” (though you don’t know it) and call him BG12345. You click on BG12345’s website and see a listing of his auctions. You click on a link on his page that interests you and are taken to auction.example.com’s site displaying that item. You scroll down to place a bid, and the auction site prompts you for your name and password to sign in. You enter all the information and hit the submit button. Everything looks fine, but in reality, the information that you submit is getting sent back to BG12345. How can this be? The answer is that auction.example.com has what is known as a cross-site scripting (CSS) vulnerability.

  • Download