MENU

 

The following information was obtained from the different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).

The information provided was classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

Cross-site scripting (xss) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner.1

A simple XSS attack may begin when the attacker injects a payload in the website’s database by submitting a vulnerable form with some malicious JavaScript. The victim will then request the web page from the website and the website serves the victim’s browser the page with the attacker’s payload as part of the HyperText Markup Language (HTML) body. The victim’s browser will execute the malicious script inside the HTML body in order to send the victim’s cookie to the attacker’s server. The attacker now simply needs to extract the victim’s cookie when the HTTP request arrives to the server, after which the attacker can use the victim’s stolen cookie for impersonation.

RECOMMENDATION

PNP personnel and the public are advised to follow the best practices listed below to prevent cross-site scripting vulnerability:


• Never insert untrusted data except in allowed locations.
• Always sanitize all user input.

• Ensure that systems are audited prior to launching in the Internet. Security measures should be in place.

• Conduct system vulnerability testing before making it available on the Internet.

For additional information, please refer to the following websites:

https://en.wikipedia.org/wiki/Cross-site_scripting1
http://www.esecurityplanet.com/browser-security/how-to-prevent-cross-site-
scripting-xss-attacks.html
https://www.acunetix.com/websitesecurity/cross-site-scripting/

POINT OF CONTACT

Please contact CSRAD, PNP ACG for any inquiries related to this CYBER SECURITY BULLETIN at This email address is being protected from spambots. You need JavaScript enabled to view it. or call 7230401 local 5337.