26. November 2015 02:12
Cross-site scripting or XSS is a common security exploit that allows hackers to run a malicious client side script in trusted and credible websites. When a user visits the infected website, it will automatically execute the malicious script code which can allow access to cookies, session tokens, steal accounts, spread web worms, initiate phishing attacks, or even remotely control the browser.
Types Of Cross-Site Scripting Attacks
- Stored XSS: Also known as persistent XSS or HTML injection attack, this is probably the most damaging type of XSS. It involves an attacker injecting a malicious script that is permanently stored on the target server in the form of a blog, forum post, in a comment field etc. When a user navigates to the affected web page, he inadvertently runs the script as a part of the web page.
- Reflected XSS: In a reflected XSS attack, the injected script is sent back to the web server in the form of a search result or error message. Also known as non-persistent XSS, a reflected attack is distributed to victim through an e-mail message, social networks or some other website containing a malformed URL. When the user performs the desired action, i.e. clicks on the link, submits a form or simply browse the spam URL, the code gets redirected to the vulnerable website. As the script comes from a credible server, the browser executes the code.
- DOM Based XSS: This attack involves exploiting vulnerabilities within a web page’s code. It is carried out through an inappropriate handling of the HTML data of a web page through its associated DOM (Document Object Model). The most commonly manipulated DOM objects in an XSS attack include document.referrer, document.url and location.hash elements.
Tips To Prevent Against Cross-Site Scripting
- Do not trust links in emails, message boards or other websites. They may contain malicious codes and redirect you to a spam website.
- Manually type the URL in the browser while visiting security sensitive web pages.
- Websites that require entering important personal or business information should not be accessed through a third party portal.
Cross-site scripting poses an immense threat to the online security and privacy of millions of users. Therefore, it is important for the developers to follow the recommended security practices to eliminate an attacker’s ability to infect the website with a malicious code.
Web browsers such as Google Chrome, Mozilla Firefox and Microsoft Edge should be configured securely in order to protect against cyber-attacks. Failing to do so may lead to various computer problems including installation of a malicious spyware or making your computer system vulnerable to a data breach.
Here are some tips to secure your web browser against attacks:
- Keep Your Browser Updated: You must frequently update your web browser to patch any security vulnerabilities. You can either enable automatic updates or regularly check for newer versions of the browsers you use. Make sure you download software updates from credible sources only.
- Block Third-Party Cookies: Though cookies are important to run various web-based applications, hackers can use them for malicious purposes. Disabling cookies from all websites may hamper your internet browsing experience. However, you should update your browser’s settings to block third-party cookies and prevent hackers from tracking your online activity.
- Enable Click-To-Play Plugins: Enabling click-to-play plugins option in your web browser will help to save your computer’s battery power and CPU cycles. It will also reduce the loading time of websites on the browser. As you restrict the plugins to run automatically, the hackers will not be able to exploit minor security flaws in your web browser.
- Turn On Popup Blockers: Pop-ups not only impede your web browsing experience but can also inadvertently download and install malware or use social engineering to make the user click on a spam website link. You should make sure that you enable pop-up blocker in your web browser.
- Delete Unused Plugins: Uninstall any plugins that you do not use. For instance, Java and Microsoft’s Silverlight are not used by many websites and can be uninstalled. If needed, you can re-install a plugin any time if you come across a website that needs it.
- Disable Auto-Fill Feature: The auto-fill or autocomplete feature saves your search terms, financial information and login credentials for different websites. Enabling this feature can pose a serious risk if your laptop is stolen or infected with malicious software by cyber criminals.
- Use Browser Extensions Carefully: Though extensions can help to personalize your browsing experience, they can also be potentially dangerous if not used cautiously. Certain malicious extensions can capture your keystrokes, track online activity, insert spam advertizements into web pages etc. As far as possible, try to limit the number of browser extensions that you need.
For more tips on securing your web browser against attacks, you can contact Centex Technologies at (972) 375 – 9654.