Databases Reference
In-Depth Information
All of these features enhance the database functionality and can decrease
development and deployment costs. However, these techniques involve dis-
parate security models working together (or not) that can weaken your
overall security model. These techniques also encourage you to take existing
procedures and make them into open services. These procedures often do
not have robust security; they were often built to be called from other data-
base procedures or specific applications, and they may not provide good
input validation or enforce security rules. These are all issues that you
should look into once you start blurring security boundaries and especially
once you allow access to these procedures to a larger user base through Web
calls and Web services. A similar blurring of boundaries occurs when you
link databases—the topic of the next chapter.
7.A
Cross-site scripting and cookie poisoning
Cross-site scripting is a technique that takes advantage of script HTML tags
to cause the user's browser to communicate sensitive information from your
application to an attacker's application. The scheme relies on the fact that
HTML can include a <SCRIPT> tag and that anything within that tag is
run as Javascript when the browser loads the page. For example, the follow-
ing HTML:
<HTML>
<HEAD>
<TITLE>XSS Example</TITLE>
</HEAD>
</BODY>
<TABLE>
<TR>
<TD>Line 1</TD>
</TR>
<TR>
<TD>Line 2</TD>
</TR>
<TD>
<SCRIPT>
alert('This is where the call to the attackers Web site
goes');
</SCRIPT>
</TD>
</TR>
<TR>
<TD>
Search WWH ::
Custom Search