Cross-Site Scripting (XSS) attacks insert malicious scripts into otherwise trusted web sites. An XSS attacker uses a web application to send malicious code, generally in the form of a browser side script, to an end user. These attacks succeed when a web application includes user input data in the output it generates without first validating or encoding the input data.
The user browser does not know that the script is malicious and executes the script. Because the browser thinks the script came from a trusted source, the malicious script can access cookies, session tokens, or other sensitive information. These scripts can even rewrite the content of the HTML page.
To address XSS vulnerability, all user-supplied input that is sent back to the browser should be verified to be safe (through input validation). Also, user input should be properly escaped before it is included in the output page. Proper output encoding ensures that the user input is always treated as text in the browser, instead of active content that can be executed.
With this release, CA Clarity PPM performs user input validation for XSS. Also, this release provides new administrative options that allow you to turn the XSS restrictions (escaping) on or off. For information about using these administrative options, see the Installation Guide.
|
Copyright © 2014 CA.
All rights reserved.
|
|