 
By Robert Vamosi The advantages of dynamic pages are many: content is fresher, easier to maintain, and easier to navigate. Unfortunately, some dynamic Web sites also expose you to cross-site scripting (XSS), a method of capturing personal information that's becoming increasingly popular with malicious users. While buffer overflows offer malicious users a way to take control of your computer, XSS rarely causes your system to be hijacked. Rather, XSS is an indirect way for a malicious attacker to fool you into revealing personal information or to exploit a secondary vulnerability on your desktop browser or within a Web site's server. XSS allows malicious users to hijack your Web-based e-mail accounts, manipulate your customer settings on a site, or steal information sent in cookies, which may include your bank account, credit card, or social security number.
Cookies are not necessarily dangerous. They allow sites such as Amazon to recognize you when you visit the site and offer personalized recommendations for products you may want to buy. By storing your password and ID, cookies allow you to automatically log on to your online bank or stock-trading site. Cookies are site-specific; for example, BigStore.com can't access your cookies from LittleStore.com, nor can a malicious user view all the cookies stored on your desktop. Cookies for financial sites tend to be encrypted, while those for e-commerce sites tend not to be. For an attacker, the trick is to redirect your personal information to a third-party site that he or she can access. One popular method is to use malicious links. Often, these are sent in e-mail messages. They may appear to be legitimate URLs, but on closer examination, you can see that they include malicious Web addresses. Many of us--if we ever really look at the contents of a URL--tend to stop at the http://, believing that any string of information following must be legit. Indeed, a malicious URL could be coded in HEX, so http:// would become 0x0068, 0x0074, 0x0074, 0x0070, 0x003A, 0x002F, 0x002F, but otherwise, the URL would look like the address for search-engine results. Malicious users also trick us by hiding URLS in Web pages so that they look like standard hotlinks--until you click the link or view the page's source code. Another way attackers gain access to your personal information is to create a pop-up asking you to reenter your username and password after you've already logged on to a legitimate Web site. Your browser (and your cookie info) are then sent to a third-party site that looks just like the legitimate one, but it's a fake that the malicious user can access. Since your browser might recognize the spoofed site as a trusted site--it thinks it's the same as the legit site--the malicious user could, with a well-crafted script, run potentially damaging code on your computer. Most attack methods these days require malicious users to be sitting at a terminal, waiting for you to open yourself up to harm, as opposed to a virus writer, who lets loose his or her virus and then sits back and waits days or weeks for the damage to be done. David Endler of iDefense Labs, however, thinks this won't always be the case. In a recent white paper (click here to download the PDF file), Endler says future XSS exploits could easily be automated. For example, a malicious user could set up a script that would send him or her e-mail whenever you access your Web-based e-mail account. So what can you do to protect yourself? You can turn off your browser's JavaScript, but that will restrict the number of sites you can visit. You also can monitor all your cookie transactions, accepting or denying them individually. If you use Microsoft's Internet Explorer, you should set your security levels to High. Also, be wary of clicking URLs from people or sites you do not know or trust. But all of these will inconvenience you and may not even prevent an attack.
My advice: be careful where you click, and to whom you give your username or password. The information might not be going to the source you intended. Are you worried about malicious attacks through Web sites? Do you think you've ever been a victim of XSS? TalkBack to me!
Senior Associate Editor Robert Vamosi covers hoaxes, viruses, and security threats for CNET Reviews. Have a question for him? Let him know! |
 |
Next steps |
 | |
| |
•
Find DSL in your own area |
• Download security and encryption apps |
• Make sure your computer is up-to-date with CNET CatchUp
• Protect yourself with a firewall or an Internet security suite |
• Shopper.com's most popular security and encryption apps
• Download security and encryption apps |
• Make sure your computer is up-to-date with CNET CatchUp
• Protect yourself with a firewall or an Internet security suite |
• Shopper.com's most popular security and encryption apps
 
|
|||
|
