Filter
Top Products
Chapter 3: Notes on Interstage Operation
3-2
Common Notes for Interstage
About Netscape 6
Do not install Netscape 6 on the same system.
About the Cross-Site Scripting Problem
What is the Cross-Site Scripting Problem?
The Cross-Site Scripting problem is a security problem that occurs when the client Web Browser sends
input data based on a dynamically generated Web page back to the server. Static HTML pages and
dynamically generated Web pages not using the data input, are not affected by this problem.
This is explained in the following example:
1) The following script is an example of a script that is executed when cross scripting occurs. This
script is placed at the end of the input data form script, just before "Submit".
"<SCRIPT Language=JavaScript>alert("Hello");</SCRIPT>"
2) After the input data was sent, the dialog box with “Hello” will be displayed.
The data input was processed but so was the script. However, if the user sends the input data
directly to the reliable site there is no problem even if there are errors on the page. But when the
user sends input data through an unreliable site, and the unreliable site sends this as input data to
the reliable site then the script that is executed causes the Cross-Site Scripting problem.
Analysis of the Problem
When developing applications like CGI and Servlet that generate dynamic pages to be displayed by the
Web browser and that generate Web pages without investigating the input data, this problem needs to
be fixed.
Examples:
− Retrieved result pages
− Those checking there is no errors in the input
− Those that register the input data in databases and display the input data through key words.
Investigation Method
Review the application programs one by one from the point of retrieving input data to that of generating
the Web pages. This can be done manually, by visual inspection of the source code, or, when reviewing
the source program is not practical, by running tests such as the one described above.