Feeds

Nothing succeeds like XSS

Unless you use NoScript, that is

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Sysadmin blog Most users think the web works like a television. They go to a website and are presented with images, text and multimedia. What they don’t know is that, unlike a television, some of what they see executes on the server, and some on our own computers, and any time an application runs on our computers there is the potential for a vulnerability that could lead to the loss of our personal information or infection by malware.

Among other things, scripts that run on our local computers collect information such as location or configuration and report it back to websites to tailor our experience. Scripts can perform tasks such as spell checking or ensuring that you have typed your password and its confirmation identically. They can launch programs such as Adobe Flash or Reader. Depending on the level of permissions you have configured, scripts can read files from your computer, save files to your computer and even execute untrusted programs. Scripts can do almost anything your computer can do - if they have the permissions to do so.

Cross site scripting (XSS) is a vulnerability where a website contains calls to load and run scripts that are not located on its own domain. Compromised websites can be configured to load scripts from third-party websites that contain malware, or may compromise your privacy. Perhaps the best known legitimate example of this practice is Facebook. Though Facebook is located at facebook.com, it loads content and scripts from the Facebook Content Delivery Network, fbcdn.net.

The challenge of dealing with XSS is knowing when a website’s XSS is legitimate, and when it is a threat. It’s easy to use Flashblock to prevent all flash on a website loading and then simply allow individual flash objects to load by clicking on them. It is another thing entirely to convince users they should block all scripts from executing on their system by default, and allow only those from sites they trust permission to run.

The excellent Firefox plug-in NoScript allows us to do this. Unlike other security and privacy browser extensions that are fairly unobtrusive NoScript is, by its nature, an extension that breaks websites. When you arrive at a website filled with rich content provided by scripts, or calls to external programs such as Adobe Flash or Adobe Reader, NoScript prevents any or all of the potential vulnerabilities from running on your computer. A gaudy beige bar appears at the bottom of your web browser and helpfully informs you exactly how many items it stopped.

If you wish to use all the features of a website, you enable them one at a time. When you examine the list of objects that are loading, you often discover that many of them are trying to load from other websites. Unlike other security and privacy extensions such as an adblock, there is no preset “whitelist” of domains. Each user of NoScript has the difficult task of learning and understanding how the web is constructed, so as to make informed judgments about what bits of it have access to run programs.

This seems frightening, frustrating and needlessly time consuming to the average Joe. Indeed I know many a sysadmin who doesn’t see the value in NoScript. They would rather trade security for the convenience of having the websites they visit “just work” without any further thought. The inherent laziness of people who should know better wins out over security and privacy. We need to do better.

 NoScript is the best defence we currently have against dangerous scripting attacks, many of which can affect you regardless of which operating system you use. Considering I use the web for important activities such as banking and paying bills, I consider it to be absolutely vital. ®

Intelligent flash storage arrays

More from The Register

next story
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
NASA launches new climate model at SC14
75 days of supercomputing later ...
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Cloud unicorns are extinct so DiData cloud mess was YOUR fault
Applications need to be built to handle TITSUP incidents
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
Don't worry about that cable, it's part of the config
Stop the IoT revolution! We need to figure out packet sizes first
Researchers test 802.15.4 and find we know nuh-think! about large scale sensor network ops
DEATH by COMMENTS: WordPress XSS vuln is BIGGEST for YEARS
Trio of XSS turns attackers into admins
SanDisk vows: We'll have a 16TB SSD WHOPPER by 2016
Flash WORM has a serious use for archived photos and videos
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?