Internet security tests, conducted by NTA Monitor during 2005, showed that many web servers and web-based applications were vulnerable to cross site scripting attacks.
Now the IT firm reports a new cross site scripting method is beginning to appear that could allow attackers to monitor visitors’ searches, usernames and passwords without their knowledge.
Cross site scripting enables an attacker to execute malicious code on a user’s machine via the browser. The flaw arises when information submitted by users is not properly stripped of HTML tags, enabling an attacker to embed malicious code on a website. When accessed, it will execute code in a user’s browser. A user may be redirected to a fake website or have their login or user information compromised. In the worst cases, users’ computers can be compromised.
What they say
Roy Hills, Technical Director at NTA Monitor, says of the emerging trend: "Attackers are creating websites in which they embed malicious code to track a visitor’s searches, usernames and passwords. The code can affect a visitor’s PC without their knowledge and can quickly spread to other visitors’ machines. Interactive social websites, blogs and forums could be affected, as visitors may not necessarily be aware of the legitimacy of the companies or individuals that own the websites that they visit. If the code is embedded in a homepage, it would mean that every visitor landing on the homepage would be affected."
With the popularity of social networking sites such as MySpace and YouTube soaring, consumers and organisations are being warned by NTA of this emerging threat. It is possible that employees could put corporate network security at risk by visiting these types of websites while at work.
It can be difficult to identify the malicious code, as browsers do not currently identify malware and the best way to safeguard against it is to undertake regular security testing. However, the firm adds, there are some precautions that can be taken in order to minimise the threat to organisations and individuals: ensure that employees install, run and update anti-spyware and malware programs such as AdAware; do regular penetration testing; and publish an IT policy – employees should not visit non work related websites during the working day.
