Invalid user input occurs when a user inserts data or characters into an application's data entry field and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application.
Invalid inputs are also used for Cross-Site Scripting (XSS) attacks. This type of attack relies on the attacker being able to insert script code into an input field and having the script executed on the client machine. By enabling Global Script Protection, there is a very limited protection against certain Cross-Site Scripting attack vectors. It is important to understand that enabling this setting does not protect hosted applications from all possible Cross-Site Scripting attacks.
When this setting is turned on, it uses a regular expression defined in the file neo-security.xml to replace input variables containing the following tags: object, embed, script, applet, and meta with Invalid Tag. This setting does not restrict any JavaScript strings that may be injected and executed, iframe tags, or any XSS obfuscation techniques. |