Cross-Site Scripting (XSS) attacks insert malicious scripts into otherwise trusted web sites. An XSS attacker uses a web application to send malicious code, generally in the form of a browser side script, to an end user. These attacks succeed when a web application includes user input data in the output it generates without first validating or encoding the input data.
The user browser does not know that the script is malicious and executes the script. Because the browser thinks the script came from a trusted source, the malicious script can access cookies, session tokens, or other sensitive information.
To address XSS vulnerability, all user-supplied input that is sent back to the browser should be verified to be safe (through input validation). Also, user input should be properly escaped before it is included in the output page. Proper output encoding ensures that the user input is always treated as text in the browser, instead of active content that can be executed.
With this release, user input validation for XSS and XSS user input restrictions (escaping) are in place and managed by CA Technologies. To request changes to the default restriction settings or for other assistance with XSS security issues, contact CA Support at http://ca.com/support.
|
Copyright © 2014 CA.
All rights reserved.
|
|