Making Sense Of Cross-Site Scripting

by Andy on April 20th, 2009 in Industry and Security News, Security Tips.

You may have seen the headlines last week about a series of worm attacks on Twitter. As we know that many of you use the site (and maybe even follow the team here at Lavasoft on it) we’d like to take a moment to clarify what it was and how you can stay safe.

 

The worms on Twitter were part of a cross-site scripting, or XSS, attack. Rather than a file that is installed on your machine, the infection is malicious code injected into the web page itself.

How do you protect yourself from this type of threat? Learning a bit about Java vulnerabilities (Java and HTML are the languages usually used for XSS exploits) within your browser of choice can help to mitigate your risk of infection. You can consider turning off or blocking JavaScript within your browser. This may not be practical, though, for all users since some sites may require JavaScript to function properly.

Another solution is to install Firefox and take advantage of the “NoScript
plug-in, which can block JavaScript exploits from automatically running if you visit a compromised website. While it can take some getting used to in order to
learn how to use this plug-in properly, the end result of knowing what a web page is really trying to do when it loads in your browser – and controlling what
scripts can and can’t run – may be well worth the learning curve.