Cross-Site Scripting Attack Exposes User Data

A “cross-site scripting” security hole enables attackers to intercept sensitive data such as credit card numbers from a Web site’s users or vandalize Web site content sent to users. The security hole isn’t limited to Microsoft products; it affects any browser and any Web site that generates pages dynamically (e.g., by using Active Server Pages or Common Gateway Interface scripts). While Microsoft has no reports of exploits yet, there’s little users can do to protect themselves; Web sites must modify their scripts to close the hole.

The security hole arises because Web sites frequently incorporate browser-supplied input (such as the URL the browser just followed) into the Web pages they generate. In one scenario, an attacker mails a user a specially modified link to the Web site under attack. If the user “clicks through” the link, the user’s browser sends the Web site a script as part of its input. The Web site treats the script as input, inserting it into a Web page and returning the page to the user. The script will then run in the user’s browser with the same privileges as any script that came from the Web site itself. This allows the script to steal sensitive information intended for the Web site or alter the Web site’s appearance to the user.