Feeds

Nothing succeeds like XSS

Unless you use NoScript, that is

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

Sysadmin blog Most users think the web works like a television. They go to a website and are presented with images, text and multimedia. What they don’t know is that, unlike a television, some of what they see executes on the server, and some on our own computers, and any time an application runs on our computers there is the potential for a vulnerability that could lead to the loss of our personal information or infection by malware.

Among other things, scripts that run on our local computers collect information such as location or configuration and report it back to websites to tailor our experience. Scripts can perform tasks such as spell checking or ensuring that you have typed your password and its confirmation identically. They can launch programs such as Adobe Flash or Reader. Depending on the level of permissions you have configured, scripts can read files from your computer, save files to your computer and even execute untrusted programs. Scripts can do almost anything your computer can do - if they have the permissions to do so.

Cross site scripting (XSS) is a vulnerability where a website contains calls to load and run scripts that are not located on its own domain. Compromised websites can be configured to load scripts from third-party websites that contain malware, or may compromise your privacy. Perhaps the best known legitimate example of this practice is Facebook. Though Facebook is located at facebook.com, it loads content and scripts from the Facebook Content Delivery Network, fbcdn.net.

The challenge of dealing with XSS is knowing when a website’s XSS is legitimate, and when it is a threat. It’s easy to use Flashblock to prevent all flash on a website loading and then simply allow individual flash objects to load by clicking on them. It is another thing entirely to convince users they should block all scripts from executing on their system by default, and allow only those from sites they trust permission to run.

The excellent Firefox plug-in NoScript allows us to do this. Unlike other security and privacy browser extensions that are fairly unobtrusive NoScript is, by its nature, an extension that breaks websites. When you arrive at a website filled with rich content provided by scripts, or calls to external programs such as Adobe Flash or Adobe Reader, NoScript prevents any or all of the potential vulnerabilities from running on your computer. A gaudy beige bar appears at the bottom of your web browser and helpfully informs you exactly how many items it stopped.

If you wish to use all the features of a website, you enable them one at a time. When you examine the list of objects that are loading, you often discover that many of them are trying to load from other websites. Unlike other security and privacy extensions such as an adblock, there is no preset “whitelist” of domains. Each user of NoScript has the difficult task of learning and understanding how the web is constructed, so as to make informed judgments about what bits of it have access to run programs.

This seems frightening, frustrating and needlessly time consuming to the average Joe. Indeed I know many a sysadmin who doesn’t see the value in NoScript. They would rather trade security for the convenience of having the websites they visit “just work” without any further thought. The inherent laziness of people who should know better wins out over security and privacy. We need to do better.

 NoScript is the best defence we currently have against dangerous scripting attacks, many of which can affect you regardless of which operating system you use. Considering I use the web for important activities such as banking and paying bills, I consider it to be absolutely vital. ®

The essential guide to IT transformation

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Microsoft: Azure isn't ready for biz-critical apps … yet
Microsoft will move its own IT to the cloud to avoid $200m server bill
Oracle reveals 32-core, 10 BEEELLION-transistor SPARC M7
New chip scales to 1024 cores, 8192 threads 64 TB RAM, at speeds over 3.6GHz
US regulators OK sale of IBM's x86 server biz to Lenovo
Now all that remains is for gov't offices to ban the boxes
Object storage bods Exablox: RAID is dead, baby. RAID is dead
Bring your own disks to its object appliances
VMware vaporises vCHS hybrid cloud service
AnD yEt mOre cRazy cAps to dEal wIth
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?