Another risk of including third-party scripts is the danger that those scripts will be
compromised by a party even more malicious than adverting companies. An otherwise
secure banking platform can be compromised if it included of scripts from a compromised
site. Remember that scripts can be used to monitor keypress events or rewrite form
controls; attackers may be able to log the keystrokes of users for passwords, credit card
numbers, or other personal information.
To make matters worse, a few of the companies we trust to provide Secure Sockets
Layer (SSL) security certificates often encourage their clients to put nice logos (such as
images) on their sites. These logos attempt to assure users that the site is using a reputable
vendor for its SSL certificate and therefore users should feel secure. For whatever reason,
the certificate organizations often want to provide sites with a script to include rather
than just a simple image, which would have far less impact on the security boundary of
the application. Here??™s an example:
src="https://seal.verisign.com/getseal?host_name=www.webapplogin
.com&size=S&use_flash=NO&use_transparent=NO&
lang=en">
This creates a familiar seal:
Or it adds the following:
src="https://siteseal.
Pages:
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276