ABSTRACT

Recommended Practice Case Study: Cross-Site Scripting   [open pdf - 535KB]

"This paper is intended to support and encourage application of recommended practices for control systems security. It describes the details of an information security attack, known as cross-site scripting, that could be used against control systems and explains practices to mitigate this threat. Additional information and resources regarding recommended practices, defense in depth, and other control systems security issues are found on the Control Systems Security Program Recommended Practices Web site, http://csrp.inl.gov/. Cross-site scripting presents one entry point for attackers to access and manipulate control systems networks. It takes advantage of Web servers that return dynamically generated Web pages or allow users to post viewable content in order to execute arbitrary HTML and active content such as JavaScript, ActiveX, and VBScript on a remote machine browsing the site within the context of a client-server session. This potentially allows the attacker to redirect the Web page to a malicious location, hijack the client-server session, engage in network reconnaissance, and plant backdoor programs."

Publisher:
Date:
2007-02
Copyright:
Public Domain
Retrieved From:
United States- Computer Emergency Readiness Team (US- CERT): http://www.us-cert.gov/
Format:
pdf
Media Type:
application/pdf
URL:
Help with citations