|
 |
|
You are here: Resources > IT Security Technical Resources Part3 > Anti-Cross Site Scripting (XSS) Tips and Tricks
Anti-Cross-Site-Scripting (XSS) Tips & Tricks
Cross Site Scripting (XSS) is very commonplace on most websites. Before you browse a given webpage, make sure that you're safe from XSS vulnerabilities first. Doing so will save you from a lot of headaches and annoyances.
Compromises Your Whole Website
If an attacker is triumphant in executing an XSS exploit against your network, it can allow them to manipulate and compromise your computer at their behest. Whenever you're faced with such a dilemma, you must do the following:
- For the love of Mozilla, get Firefox, Opera, Safari, or Konqueror as your web browser. Using Internet Explorer is just asking for trouble. Also, even without the security issues, it provides a subpar browsing experience.
- Don't run JavaScript. Get the NoScript extension for Firefox so that you can allow JS for trusted domains (like your own) and block it for everybody else. Either use the NoScript extension or just disallow JavaScript completely (in Firefox, visit Edit, then Preferences, then Content, then uncheck "Allow Java" and "Allow JavaScript").
- Don't run Flash (which is basically JS)—even from places like YouTube, which is full of malicious files—unless you are absolutely sure that it can be trusted. Use NoScript for this.
- Turn off Java.
- Don't visit any sites that you do not recognize period. Check the URL (Internet address) carefully when you get a link. For example, http://www.forbs.com is not the same as http://www.forbes.com
- For the truly paranoid, you can do the following. Browse text-only (access Edit, then Preferences, then Content, then uncheck "Load Images" in Firefox). That's because a skillful cracker can still get code to execute from within a JPEG file; not common or easy, but possible.
- Create a strong master password for your browser (access Edit, then Preferences, then Passwords, change your existing passwords, and clear your private data upon exit). Creating a master password will give you that option by default.
I can't stress the last item enough. If you do get tricked, a master password plus regularly flushed private data can give you a fighting chance. At the very least, your passwords will be locked up—or at least the ones that are changed after the master password goes into effect. Your master password will not protect against attacks targeted at sites that you're already logged into upon hitting the evil XSS site, though.
That's why it's important to clear everything regularly. You can still store passwords—which is nice because you can use multiple passwords for different sites—but you only need to remember your strong master password. Clearing cookies and authenticated sessions upon shutting down Firefox will log you out safely and decrease your chances of giving up the goods.
If you do all that, you should be pretty safe. Good luck.
The SecPoint® Protector (http://www.secpoint.com/secpoint-protector.html) protects against all XSS attacks.
The SecPoint® Penetrator (http://www.secpoint.com/secpoint-penetrator.html) can automatically crawl through your website and find XSS weaknesses.
|
Want to be Contacted? |
| Click here to Get Contacted | |
|
|
Free Services |
|
Free Wi-Fi Top 15 Security Tips
Free Vulnerability Scan |
|
|
|
SecPoint News |
|
» New Penetrator 20.1.3 released |
|
|
Awards & Reviews | ||
|
|||
SecPoint® © Copyright 1999-2013
US Toll Free: +1-888-704-7297 - EU Toll Free: +44-808-101-2272
US Toll Free: +1-888-704-7297 - EU Toll Free: +44-808-101-2272