LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for August 21, 2008

Standards, the kernel, and Postfix

In defense of Ubuntu

Why the JMRI decision matters

LWN.net Weekly Edition for August 14, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

XSS is for real

XSS is for real

Posted Apr 13, 2006 16:23 UTC (Thu) by b7j0c (subscriber, #27559)
Parent article: Cross-site scripting attacks

xss is definitely at the top of the security issues real users face every day, since most people spend a great deal of time surfing the web and xss exploits are so trivial to code. some things you can do as a user - run noscript for firefox. i cannot stress this enough. allow js for sites you need and trust. block all of the others. if you do not run noscript, assume your cookies have already been stolen, likely multiple times.

for content producers, prefer css to js where they provide complimentary functionality and where it is technically possible. this will also provide higher performance.

there is little point bemoaning the state of site exploits further, as most of the exploiters know what they are doing and are making money by mining data they steal.

even for technically astute users and developers, i can assure you that you will be shocked and amazed at what some of the advanced xss hackers can do.

(Log in to post comments)

XSS is for real

Posted Apr 20, 2006 16:36 UTC (Thu) by Duncan (guest, #6647) [Link]

Indeed, XSS is a very real security worry.

I agree with the no-script thing. Turning off Javascript "drastic", as
the article states? I don't /think/ so! Rather, it's been the default
here for a good eight years or more. Scripting (and back on MSWormOS,
ActiveHex, and on Linux, plugins) and cookies are always off by default,
only turned on after I find I need them and ask myself what trust level I
have for the site, and whether my need for what the site offers justifies
the necessary hassle. I can state for a fact that a site's poor choices
have not only redirected my viewing, but thousands of dollars worth of
purchases, over the years. If they aren't security conscious enough to
realize that some users visiting their site won't have certain things
enabled by default, and have the site designed so at least information
about a product can be gathered without /too/ much jumping thru hoops to
turn stuff back on, then they obviously aren't concerned enough about
security to be worth my purchasing consideration, whether it's a site I'm
shopping right then with card in hand, or a manufacturer's site I'm
looking at for product info. There are other sites out there plenty
willing to let me be their customer, without the hassle.

FWIW, tho, not FireFox here, but Konqueror, with its per-site scripting
and cookie permissions, and privoxy, filtering the worst stuff and setting
all cookies to session-only by default, before Konqueror even sees it.

Duncan

XSS is for real

Posted Apr 23, 2006 15:42 UTC (Sun) by anton (guest, #25547) [Link]

>Turning off Javascript "drastic", as the article states? I don't
>/think/ so! Rather, it's been the default here for a good eight years
>or more.

On my accounts, I always turn off JavaScript (and a bunch of other
stuff), and *never* turn it on. And as for you, that certainly
affects what I buy.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.