Page 1484 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1484
Web Application Security
The web allows you to purchase airline tickets, check your email, pay
your bills, and purchase stocks all from the comfort of your living
room. Almost every business today operates a website, and many allow
you to conduct sensitive transactions through that site.
Along with the convenience benefits of web applications comes a series
of new vulnerabilities that may expose web-enabled organizations to
security risks. In the next several sections, we’ll cover some common
web application attacks. Additional detail on web application security
can be found in Chapter 9, “Security Vulnerabilities, Threats, and
Countermeasures.”
Cross-Site Scripting
Cross-site scripting (XSS) attacks occur when web applications
contain some type of reflected input. For example, consider a simple
web application that contains a single text box asking a user to enter
their name. When the user clicks Submit, the web application loads a
new page that says, “Hello, name.”
Under normal circumstances, this web application functions as
designed. However, a malicious individual could take advantage of this
web application to trick an unsuspecting third party. As you may
know, you can embed scripts in web pages by using the Hypertext
Markup Language (HTML) tags <SCRIPT> and </SCRIPT>. Suppose
that, instead of entering Mike in the Name field, you enter the
following text:
Mike<SCRIPT>alert('hello')</SCRIPT>
When the web application “reflects” this input in the form of a web
page, your browser processes it as it would any other web page: It
displays the text portions of the web page and executes the script
portions. In this case, the script simply opens a pop-up window that
says “hello” in it. However, you could be more malicious and include a
more sophisticated script that asks the user to provide a password and
