There is a pretty good write up of the dangers in allowing your browser to accept Cross Site Scripting (XSS) or allowing your web server to carry XSS here:
Guardian Article on Javascript based XSS Twitter Hack
The article mainly focuses on the recent Twitter exploit, and the dangers of server-side XSS exploits, but we can easily protect against this stuff at the browser level too with NoScript add-on to Firefox. FlashBlock and Click to Flash help with Flash issues, but Javascript is more pervasive and XSS is more commonly implemented in Javascript.
I have been seeing so many of these on Facebook lately and am concerned that people are visiting Facebook with vulnerable web browsers. If you are using any browser other that Firefox with NoScript active, and you think you are secure – please let me know what you did to fix your browser. This is the vulnerability that forced me off Safari and Chrome (both of which seem faster, but less secure than Firefox with NoScript and Flashblock).
Post a Comment