Sunday, June 08, 2008

Prevent Cross-Site Scripting (XSS) and browser security vulnerabilities

The famous and highly useful NoScript add on has been around for a while. This open source add on has been evolving so much and now it is compatible with Firefox 3.1a1pre (Minefield) along with other features such as Faster Base64 injection checks in Anti-XSS filters, Improved IP based shorthands and Enhanced cross-site POST blocking as an anti-CSRF mitigation.

For those who are not yet aware of what Noscript is:

It is no secret that Firefox is the top dowloaded browser in the world and one of the main reasons for this can be attributed to the add ons feature it provides. There are plenty of them out their to suit the various needs of the users right from file sharing to video downlods.

Apart from this it is also the most safest web browser. But can it be more safer?
Well, as most of you know the best way to visit any site that you are unfamiliar with is to turn off the javascripts, flash plugins, cookies etc etc. So obviously a safe browser can even be more safer with these things turned off. And that is where the NoScript add on comes in.

The NoScript Firefox extension provides extra protection for Firefox, Flock, Seamonkey and others mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice.

One of the major feature of this add on is that it provides protection to the infamous Cross-Site Scripting (XSS) vulnerabilities. This sort of vulnerability is highly used by the hackers to steal passwords of the users.

Already there have been many incidents where this vulnerability was used to steal Myspace passwords and online banking passwords. As a person who has written and read a lot about how many browsers were compromised to steal the identity and user authentication using this vulnerability am glad that NoScript has put special attention to this.

Cross-Site Scripting (XSS) vulnerabilities are usually programming errors made by web developers, which allow an attacker to inject his own malicious code from a certain site into a different site. This usually happens when you have a website open in your browser and open another page which executes the vulnerability. Many famous browsers such as even Firefox had this issue before they came up with ant-phishing techniques. But still even the white listed sites are prone to this attacks and NoScript has taken special care to tackle this with its Anti-XSS counter-measures.

One of the best features of NoScript is that it has an unique whitelist based pre-emptive script blocking technique which prevents exploitation of known and unknown vulnerabilities.

When I checked today the No Script website is at 4 among the movers and shakers section list. It is clearly a hit among users especially the ones who are into online transactions.

Related links:
Some people have problems with setting up this add on to its full potential. If you are one of those go here

About Cross-Site Scripting (XSS) and the Anti-XSS feature.

NoScript home page