Saturday, June 16, 2007
I'll try to explain "cross-site scripting"
I'm taking this on as a challenge. It's an important concept, it affects your security on the Web all the time, but even a lot of programmers get it wrong.
When you look at a web page, it sends a description of what your browser should show, and it often sends little programs that control what your browser does. That's where those obnoxious unclosable popup windows come from. The little programs ("scripts", in a computer language called Javascript) also have legitimate uses. For example, Gmail uses Javascript to do work on your computer instead of making long round trips to Google's web servers.
Microsoft's First Immutable Law of Security says that once you let a bad guy run a program on your computer, from then on it's the bad guy's computer and not yours any more.
Scripts can't completely take over your computer but they can control your web browser. They can log in to web sites where you've clicked "Remember me". They can do pretty much whatever you could do from your browser program.
So you shouldn't let scripts run from places you don't have a reason to trust. That's why one of my first lines of defense on my own computer is to run Firefox with an add-on called NoScript. NoScript lets me automatically block scripts from sites I don't know but allow them from places like Yahoo!
So far so good, but what if a site you trust, like Yahoo!, allows people to contribute content, like in a message board? Or do something else that changes the web page you see? Could those people put in a malicious script? They can, and they do. Just a couple of days ago Yahoo! fixed a problem that would have allowed bad guys to take over all your Yahoo! email and other accounts.
The bad guy attacks by giving you a complicated link to click which, if you click it, takes you to a rewritten Yahoo! page with a script that does something the bad guy wants but that you don't.
This is tough to defend against if you want to get full value out of the web. You could refuse to click strange links, which is a good idea anyway, but you can't always recognize them as attacks. You can keep scripts turned off, but you'll have to turn them back on for a few valuable sites, and if any of those have a security hole that lets a bad guy upload scripts, you're hosed.
|
When you look at a web page, it sends a description of what your browser should show, and it often sends little programs that control what your browser does. That's where those obnoxious unclosable popup windows come from. The little programs ("scripts", in a computer language called Javascript) also have legitimate uses. For example, Gmail uses Javascript to do work on your computer instead of making long round trips to Google's web servers.
Microsoft's First Immutable Law of Security says that once you let a bad guy run a program on your computer, from then on it's the bad guy's computer and not yours any more.
Scripts can't completely take over your computer but they can control your web browser. They can log in to web sites where you've clicked "Remember me". They can do pretty much whatever you could do from your browser program.
So you shouldn't let scripts run from places you don't have a reason to trust. That's why one of my first lines of defense on my own computer is to run Firefox with an add-on called NoScript. NoScript lets me automatically block scripts from sites I don't know but allow them from places like Yahoo!
So far so good, but what if a site you trust, like Yahoo!, allows people to contribute content, like in a message board? Or do something else that changes the web page you see? Could those people put in a malicious script? They can, and they do. Just a couple of days ago Yahoo! fixed a problem that would have allowed bad guys to take over all your Yahoo! email and other accounts.
The bad guy attacks by giving you a complicated link to click which, if you click it, takes you to a rewritten Yahoo! page with a script that does something the bad guy wants but that you don't.
This is tough to defend against if you want to get full value out of the web. You could refuse to click strange links, which is a good idea anyway, but you can't always recognize them as attacks. You can keep scripts turned off, but you'll have to turn them back on for a few valuable sites, and if any of those have a security hole that lets a bad guy upload scripts, you're hosed.
# posted by Frederick @ 5:51 PM Email to a friend:
Haloscan: they provide trackback