XSSStored1.PNG

<div>
Assigned points. Question was answered.
</div>


<div>
<div class="content wysiwyg-content">
I recently installed a patch at a client site that is supposed to prevent XCSS attacks. &nbsp;<br />
<br />
I was able to embed HTML into a web form and have it saved to my customer profile. &nbsp;Is HTML in a form field considered a cross-site script attack? &nbsp;Or is it something more? &nbsp;What tools should I obtain to test the patch to make sure ?<br />
<br />
Thanks,<br />
<br />
-Dan
</div>
</div>


I recently installed a patch at a client site that is supposed to prevent XCSS attacks.  

I was able to embed HTML into a web form and have it saved to my customer profile.  Is HTML in a form field considered a cross-site script attack?  Or is it something more?  What tools should I obtain to test the patch to make sure ?

Thanks,

-Dan

Question about XCSS scripting attacks

A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness, known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Other vulnerabilities include security risks, security defects and constructs in programming languages that are difficult to use properly.

Vulnerabilities

A scripting language is a programming language that supports scripts, programs written for a special run-time environment that automate the execution of tasks that could alternatively be executed one-by-one by a human operator. Scripting languages are often interpreted (rather than compiled). Primitives are usually the elementary tasks or API calls, and the language allows them to be combined into more complex programs. Environments that can be automated through scripting include software applications, web pages within a web browser, the shells of operating systems (OS), embedded systems, as well as numerous games. A scripting language can be viewed as a domain-specific language for a particular environment; in the case of scripting an application, this is also known as an extension language.

Scripting Languages

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection.  Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.

Security

HTML (HyperText Markup Language) is the main markup language for creating web pages and other information to be displayed in a web browser, providing both the structure and content for what is sent from a web server through the use of tags. The current implementation of the HTML specification is HTML5.