Definitions Edit

Active content is

electronic documents that can carry out or trigger actions automatically on a computer platform without the intervention of a user.[1]
[s]oftware in various forms that is able to automatically carry out or trigger actions on a computer platform without the intervention of a user.[2]
interactive program elements downloaded to the client (i.e., a Web browser) and processed there instead of the server.[3]

Overview Edit

Active content can be used to create splash pages or options like drop-down menus. It is often a way for attackers to download or execute malicious code on a user’s computer.

The use of active content often requires users to reduce the security settings on their Web browsers for processing to occur. If not implemented correctly, active content can present a serious threat to the end user. For example, active content can take actions independently without the knowledge or expressed consent of the user. While active content poses risk to the client, it can also pose risk to the Web server. The reason is that information processed on the client is under the control of the user, who can potentially manipulate the results by reverse engineering and tampering with the active content. For example, form validation processing done with active content elements on the client side can be changed to return out-of-range options or other unexpected results to the server. Therefore, the results of processing done on the client by elements of active content should not be trusted by the server; instead, the results should be verified by the server. Organizations considering the deployment of client-side active content should carefully consider the risks to both their users and their Web servers.[4]

References Edit

  1. NIST Special Publication 800-28, ver. 2.
  2. CNSSI 4009, at 3.
  3. NIST Special Publication 800-44, at 6-9.
  4. Id.

See also Edit