Chapter 3: Notes on Interstage Operation

Common Notes for Interstage

About Netscape 6

Do not install Netscape 6 on the same system.

About the Cross-Site Scripting Problem

What is the Cross-Site Scripting Problem?

The Cross-Site Scripting problem is a security problem that occurs when the client Web Browser sends input data based on a dynamically generated Web page back to the server. Static HTML pages and dynamically generated Web pages not using the data input, are not affected by this problem.

This is explained in the following example:

1)The following script is an example of a script that is executed when cross scripting occurs. This script is placed at the end of the input data form script, just before "Submit".

"<SCRIPT Language=JavaScript>alert("Hello");</SCRIPT>"

2)After the input data was sent, the dialog box with “Hello” will be displayed.

The data input was processed but so was the script. However, if the user sends the input data directly to the reliable site there is no problem even if there are errors on the page. But when the user sends input data through an unreliable site, and the unreliable site sends this as input data to the reliable site then the script that is executed causes the Cross-Site Scripting problem.

Analysis of the Problem

When developing applications like CGI and Servlet that generate dynamic pages to be displayed by the Web browser and that generate Web pages without investigating the input data, this problem needs to be fixed.

Examples:

Retrieved result pages

Those checking there is no errors in the input

Those that register the input data in databases and display the input data through key words.

Investigation Method

Review the application programs one by one from the point of retrieving input data to that of generating the Web pages. This can be done manually, by visual inspection of the source code, or, when reviewing the source program is not practical, by running tests such as the one described above.

3-2

Page 54
Image 54
Fujitsu V6.0 manual Common Notes for Interstage, About Netscape, About the Cross-Site Scripting Problem