Cross-Site Scripting and Criminal Hacks

Tuesday, December 14, 2010

Robert Siciliano

37d5f81e2277051bc17116221040d51c

Secure computing requires an ongoing process, as you learn about risks and then implement processes and technology to protect yourself.

Without a concerted effort to defend your data, you will almost certainly by victimized by some type of cyber-invasion.

JavaScript is everywhere, making the Internet pretty and most websites user friendly. Unfortunately, hackers have learned to manipulate this ubiquitous technology for personal gain.

Java can be used to launch a cross-site scripting attack (XSS), which leverages a vulnerability often found in applications that incorporate Java. The vulnerability allows hackers to insert code into a website you frequent, which will infect your browser and then your PC.

Following links without knowing what they point to, using interacting forms on an untrustworthy site, or viewing online discussion groups or other pages where users may post text containing HTML tags can put your browser at risk.

Facebook, one of the most popular websites, is a likely place for JavaScript hacks, due to cross-site scripting vulnerabilities and the overall lack of security of Facebook users.

This allows hackers to read a victim’s private Facebook messages, to access private pictures, to send messages to the victim’s contacts on his or her behalf, to add new (and potentially dangerous) Facebook applications, and to steal the victim’s contacts.

Beware of going down the rabbit hole when browsing the Internet. Once you start clicking link after link, you may find yourself on an infected site. And look out for scams such as contests that require you to paste code into Facebook, your blog, or any other site.

To protect yourself from cross-site scripting attacks, update your browser to the most recent version, with the most current security settings.

McAfee offers a free tool, SiteAdvisor, which helps detect malicious sites. In Firefox, you can install NoScript, a plug-in that lets you control when to enable JavaScript. NoScript also includes a list of good and bad sites.

In Chrome, you can disable JavaScript in preferences, and in Internet Explorer, you can fiddle with the settings and adjust “Internet Zones,” but the default settings are best for most people.

In Adobe Reader, JavaScript can be disabled all together, under “Edit” and then “Preferences.” That being said, after messing with default browser or program settings, the reduced functionality may impede your ability to do anything online.

The trick is to have the most updated security software and to avoid social engineering scams that ask you to click links or copy code.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit card fraud on NBC Boston. Disclosures

Possibly Related Articles:
8389
Vulnerabilities
XSS Java Facebook Application Security Hacker
Post Rating I Like this!
D5e39323dd0a7b8534af8a5043a05da2
Fred Williams Good advice. There are a few zero day exploits out there for IE 6 and 7 that have made it into a few popular hacker kits.
1292423844
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.