1. Field of the Invention
This invention relates to computer network security. More particularly, the invention relates to a method and system for avoiding cross-site scripting attacks or other network attacks that use scripting code embedded within uniform resource locators (URLs).
2. Description of the Related Art
Markup languages such as the hypertext markup language (HTML) are used to display documents in web browsers, email clients, and other client software applications. The HTML specification provides for the ability to embed scripts within HTML code, where the scripts are written in a scripting language such as Javascript, VBScript, Tcl, etc. The script is run in the client software application when the document is loaded or at some other time, such as when a specific event occurs.
Scripts offer a means to extend HTML documents in highly useful and interactive ways. Unfortunately, scripts can also be used for malicious purposes. In particular, a type of Internet attack known as a cross-site scripting (XSS) attack or code injection attack relies on embedding scripting code within a uniform resource locator (URL).
Hackers often embed a malicious script within a URL and deceive a victim into providing the URL to their web browser or other client application, such as by clicking on a hyperlink that represents the URL or copying and pasting the URL from another document. In response, the client application proceeds as if the URL were a normal, non-malicious URL. For example, the client application typically establishes a TCP connection with a server identified by the URL and sends information, including the URL that includes the malicious script, to the server via the TCP connection. The server receives the information sent by the client application, including the URL that includes the malicious script. If the server fails to recognize the script embedded in the URL as being malicious, then the server mistakenly copies the malicious script into the server's response, which is returned by the server to the client application. In the course of processing the server's response, the client application may run the malicious script.
Running the malicious script may harm the user in various ways. As one example, the script may perform “cookie theft”. When a client application such as a web browser communicates with a server, e.g., a web server, the server often creates a relatively small file called a cookie and returns the cookie to the client application. Also, the server typically stores a record of the cookie as being associated with the user and stores preferences, if any, which have been specified to the server by the user via the client application.
After receiving the cookie from the server, the client application stores the cookie in association with the server's URL or domain name. The cookie may be stored either temporarily for a particular session of communication with the server or persistently for multiple communication sessions with the server. For communicating with the server during a session, the client application typically establishes a TCP connection with the server and sends information, including the cookie, to the server via the TCP connection.
The server receives the information, including the cookie, from the client application. If the server recognizes the cookie as being associated with the user or the client application on the user's computer system, the server reads its stored record of preferences, if any, that have been specified to the server by the user. In response to the preferences, the server may respond to the information sent by the client application, e.g., by sending messages and files to the client application. Accordingly, with the cookie, the server and the client application communicate with one another while maintaining a state throughout the session.
In some cases, the preferences previously specified to the server by the user include the user's request for the server to read the user's identification information (e.g., account name or number) and password from the cookie, so that the user's client application automatically obtains access to the user's information without the user re-authenticating himself to the server, e.g., without the user having to retype the identification information and password.
Use of a cookie in this manner thus provides convenience for the user. However, the cookie also exposes the user to potential malicious activity. In particular, a hacker may embed a malicious script in a URL, where the malicious script is returned to the client application in a response from the server and is run by the client application, as described above. In some examples, the malicious script is operable to instruct the client application to send the user's cookie to a malicious server when the client application runs the malicious script. The cookie received by the malicious server may then be used for malicious purposes.
For example, an application on the malicious server may use the cookie to communicate with the server, similar to the manner in which a legitimate client application on the user's computer system uses the cookie to communicate with the server. When the server recognizes the cookie as being associated with the user, the server may mistakenly respond by sending messages and files to the application on the malicious server. In one example, if the user's preferences include the user's request for the server to read the user's ID and password from the cookie, then the malicious server, by sending the cookie to the server, obtains access to the user's information without the user re-authenticating himself to the server.
The malicious server may then perform online theft or otherwise utilize the user's information for malicious purposes. For example, the malicious server may perform monetary theft, intellectual property theft, identity theft, fraud, etc. In one example, the hacker or malicious server views, captures or otherwise obtains the user's identification information (e.g., account name or number), password, financial information, and/or other sensitive information from the server. Accordingly, with such access, communication, and/or information, the hacker is equipped to transfer funds from the victim's financial account to the hacker's financial account, or use the victim's credit card information for purchases and cash advances, or perform other malicious activity.
In addition to cookie theft, a malicious script embedded within a URL may also perform other types of malicious activities. For example, in some cases the malicious script instructs the client application on the user's computer system to modify the server's response, such as by modifying a form action in an HTML web page that the client application received from the server. The client application displays such an HTML web page within a window on the user's client computer system, where the web page may include various form elements, such as text input boxes, check boxes, etc. The web page may request the user to enter information in the form elements, where the information is intended to be sent to the server. However, in this example, the malicious script modifies the form action to cause the information entered by the user to be sent to a malicious server instead of sending the information to the trusted server. Examples of such information are the user's authentication information (e.g., account name or number, password, PEN number, etc.), personal information (e.g., social security number, address, etc.), financial information (e.g., credit card account information, bank account information, etc.) or other sensitive information. The information sent to the malicious server may then be used for online theft or other malicious purposes, similarly as described above.