Saturday, October 30, 2010

Internet Security: The Cross-Site Scripting Attack

We all know that security on the internet is a major topic nowadays.  Even after you install your brand new web browser and you install your brand new antivirus, you are still vulnerable.  Why is that?  A large part of internet security “holes” or places you are most likely to receive and attack from are actually the things you installed yourself.

XSS is an abbreviation for Cross-Site Scripting, what this used to refer to when it was first discovered was when a third party website used your credentials to log into another website or to steal your information directly through another website.  It has since expanded into covering many more injection style attacks that target client side scripts.

Client side scripting is mainly referring to JavaScript although other ones do exist.  Server side scripting uses languages like PHP and Perl.  Client side scripts are how websites and your computer tie together to execute code on your computer.  These scripts have access to cookies as a means of storing and retrieving data.  Probably the most important cookie from this context is the Session Cookie,  websites use session cookies to log you in and keep you logged in as long as you are at the site or for a certain length of time until the cookie expires.  If another site is injecting code into your scripts or entire scripts into your web browser what is keeping them from simply looking at your session cookies and copying your credentials.  Congratulations, you’ve now experienced one of the most common forms of identity theft on the internet.

Web browsers have done their best to take up the task of blocking XSS attacks from occurring.  Many of today’s browsers support an attribute called HTTP only for their cookies which blocks scripts from accessing them.  This however does not solve all the problems XSS presents.  Script blocking, either in the browser or by using a third party add-on like No Script for Firefox which provides Domain level blocking(it blocks it by the name of the website)  are some more ways to help control the problem.  By blocking most of everything and only allowing the scripts you want to run you can protect yourself from a vast majority of XSS attacks.  Some people consider No Script to be too much of a burden though as it can break the functionality of many websites until properly set up.

So with all of these companies focusing on fixing XSS and preventing this problem why is it still so prevalent?  For the most part, Flash.  Adobe’s Flash player isn’t just a client side codebase, it’s practically an entire platform for running rich media content on a remote pc.  Not only it used to provide videos and music players, interactive game platforms and user interaction, but it can be used for advertising too, XSS opportunities crop up like weeds when flash ad’s get loaded.

That being said it’s not entirely Adobe’s fault.  Sloppy coding practices, non sanitized inputs, and vulnerabilities in other software itself contribute to the problem as well.  Be wary of your scripts and who sends them to you.  If you are browsing unknown websites tools like No Script can be a lifesaver.

Share this on del.icio.usDigg this!Post this on DiigoShare this on RedditStumble upon something good? Share it on StumbleUponShare this on TechnoratiShare this on MixxTweet This!Subscribe to the comments for this post?Add this to Mister Wong

Related posts:

Are we witnessing death to Internet Explorer?Why People Use Browsers Other Than Internet ExplorerApple Steps Into The Cross Hairs of The FedsHow Internet Bandwidth WorksGoogle and the Internet

No comments yet

Your Comment

Name (required)

Mail (will not be published) (required)

Website

Notify me of followup comments via e-mail


#submit

View the Original article

No comments:

Post a Comment