Cross Site Scripting
Tom Kelliher, CS 318
Feb. 4, 2000
Lists & subroutines in Perl.
- Chapters 1--5.
- MinMax in Perl.
- Cross Site Scripting.
- Background: Browsers can execute scripts.
- The old, standard trojan: malicious code provided by one client
for another client.
- The new trojan: malicious code sent by a client for itself:
SRC='http://www.badguys.com/badfile'></SRC>">Link to neato stuff
from goodguys here</A>
This is what is meant by cross-site scripting.
- Abuse of other tags, such as
- Same source origin security model for scripting: pages sent by one
source contain only scripts from that source.
- SSL-encrypted connections may be exposed.
- Attacks may be persistent through poisoned cookies.
- Attacker may access restricted web sites from the attacked client.
Thomas P. Kelliher
Fri Feb 4 12:59:19 EST 2000