Nothing succeeds like XSS

Sysadmin blog Most users think the web works like a television. They go to a website and are presented with images, text and multimedia. What they don’t know is that, unlike a television, some of what they see executes on the server, and some on our own computers, and any time an application runs on our computers there is the potential for a vulnerability that could lead to the loss of our personal information or infection by malware.

Among other things, scripts that run on our local computers collect information such as location or configuration and report it back to websites to tailor our experience. Scripts can perform tasks such as spell checking or ensuring that you have typed your password and its confirmation identically. They can launch programs such as Adobe Flash or Reader. Depending on the level of permissions you have configured, scripts can read files from your computer, save files to your computer and even execute untrusted programs. Scripts can do almost anything your computer can do - if they have the permissions to do so.

Cross site scripting (XSS) is a vulnerability where a website contains calls to load and run scripts that are not located on its own domain. Compromised websites can be configured to load scripts from third-party websites that contain malware, or may compromise your privacy. Perhaps the best known legitimate example of this practice is Facebook. Though Facebook is located at facebook.com, it loads content and scripts from the Facebook Content Delivery Network, fbcdn.net.

The challenge of dealing with XSS is knowing when a website’s XSS is legitimate, and when it is a threat. It’s easy to use Flashblock to prevent all flash on a website loading and then simply allow individual flash objects to load by clicking on them. It is another thing entirely to convince users they should block all scripts from executing on their system by default, and allow only those from sites they trust permission to run.

The excellent Firefox plug-in NoScript allows us to do this. Unlike other security and privacy browser extensions that are fairly unobtrusive NoScript is, by its nature, an extension that breaks websites. When you arrive at a website filled with rich content provided by scripts, or calls to external programs such as Adobe Flash or Adobe Reader, NoScript prevents any or all of the potential vulnerabilities from running on your computer. A gaudy beige bar appears at the bottom of your web browser and helpfully informs you exactly how many items it stopped.

If you wish to use all the features of a website, you enable them one at a time. When you examine the list of objects that are loading, you often discover that many of them are trying to load from other websites. Unlike other security and privacy extensions such as an adblock, there is no preset “whitelist” of domains. Each user of NoScript has the difficult task of learning and understanding how the web is constructed, so as to make informed judgments about what bits of it have access to run programs.

This seems frightening, frustrating and needlessly time consuming to the average Joe. Indeed I know many a sysadmin who doesn’t see the value in NoScript. They would rather trade security for the convenience of having the websites they visit “just work” without any further thought. The inherent laziness of people who should know better wins out over security and privacy. We need to do better.

 NoScript is the best defence we currently have against dangerous scripting attacks, many of which can affect you regardless of which operating system you use. Considering I use the web for important activities such as banking and paying bills, I consider it to be absolutely vital. ®