Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

White Paper

2000 Tech Tip: Understanding Malicious Content Mitigation for Web Developers

  • January 2000
  • This 2000 tech tip contains discussion about malicious content mitigation.
  • Vulnerability Analysis
  • Publisher: CERT Division
  • Abstract

    Web pages contain both text and HTML markup that is generated by the server and interpreted by the client browser. Servers that generate static pages have full control over how the client will interpret the pages sent by the server. However, servers that generate dynamic pages do not have complete control over how their output is interpreted by the client. The heart of the issue is that if untrusted content can be introduced into a dynamic page, neither the server nor the client has enough information to recognize that this has happened and take protective actions.

    Any data inserted into an output stream originating from a server is presented as originating from that server, even if it does not include malicious tags. Web developers must evaluate whether their sites will send untrusted data as part of an output stream. A combination of steps must be taken to mitigate this vulnerability. These steps are detailed in this tech tip.

  • Download