Feeds

Nothing succeeds like XSS

Unless you use NoScript, that is

  • alert
  • submit to reddit

Build a business case: developing custom apps

Sysadmin blog Most users think the web works like a television. They go to a website and are presented with images, text and multimedia. What they don’t know is that, unlike a television, some of what they see executes on the server, and some on our own computers, and any time an application runs on our computers there is the potential for a vulnerability that could lead to the loss of our personal information or infection by malware.

Among other things, scripts that run on our local computers collect information such as location or configuration and report it back to websites to tailor our experience. Scripts can perform tasks such as spell checking or ensuring that you have typed your password and its confirmation identically. They can launch programs such as Adobe Flash or Reader. Depending on the level of permissions you have configured, scripts can read files from your computer, save files to your computer and even execute untrusted programs. Scripts can do almost anything your computer can do - if they have the permissions to do so.

Cross site scripting (XSS) is a vulnerability where a website contains calls to load and run scripts that are not located on its own domain. Compromised websites can be configured to load scripts from third-party websites that contain malware, or may compromise your privacy. Perhaps the best known legitimate example of this practice is Facebook. Though Facebook is located at facebook.com, it loads content and scripts from the Facebook Content Delivery Network, fbcdn.net.

The challenge of dealing with XSS is knowing when a website’s XSS is legitimate, and when it is a threat. It’s easy to use Flashblock to prevent all flash on a website loading and then simply allow individual flash objects to load by clicking on them. It is another thing entirely to convince users they should block all scripts from executing on their system by default, and allow only those from sites they trust permission to run.

The excellent Firefox plug-in NoScript allows us to do this. Unlike other security and privacy browser extensions that are fairly unobtrusive NoScript is, by its nature, an extension that breaks websites. When you arrive at a website filled with rich content provided by scripts, or calls to external programs such as Adobe Flash or Adobe Reader, NoScript prevents any or all of the potential vulnerabilities from running on your computer. A gaudy beige bar appears at the bottom of your web browser and helpfully informs you exactly how many items it stopped.

If you wish to use all the features of a website, you enable them one at a time. When you examine the list of objects that are loading, you often discover that many of them are trying to load from other websites. Unlike other security and privacy extensions such as an adblock, there is no preset “whitelist” of domains. Each user of NoScript has the difficult task of learning and understanding how the web is constructed, so as to make informed judgments about what bits of it have access to run programs.

This seems frightening, frustrating and needlessly time consuming to the average Joe. Indeed I know many a sysadmin who doesn’t see the value in NoScript. They would rather trade security for the convenience of having the websites they visit “just work” without any further thought. The inherent laziness of people who should know better wins out over security and privacy. We need to do better.

 NoScript is the best defence we currently have against dangerous scripting attacks, many of which can affect you regardless of which operating system you use. Considering I use the web for important activities such as banking and paying bills, I consider it to be absolutely vital. ®

Build a business case: developing custom apps

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Microsoft says 'weird things' can happen during Windows Server 2003 migrations
Fix coming for bug that makes Kerberos croak when you run two domain controllers
Cisco says network virtualisation won't pay off everywhere
Another sign of strain in the Borg/VMware relationship?
VVOL update: Are any vendors NOT leaping into bed with VMware?
It's not yet been released but everyone thinks it's the dog's danglies
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.