Pc World, Is Web 2.0 Safe?

http://www.pcworld.com/article/id,132153/article.html

(my bolding)

Mike

 

Nice read.

Thanks,

Chris

 

Even better reading, search for any post by @elio.

I have learned a lot, especially when @elio and @Rmus "discuss" whatever exploit. There are also many other posters that contribute to these discussions.

Mike

 

/me giggles

This is the part I love most:

Normally...

Latest blog entry by Robert Hansen AKA RSnake (quoted by the PC World's article) here: http://ha.ckers.org/blog/20070607/the-javascript-paradox/

 

PC World's arguments are deeper than they seem, after all...

[EDIT]:
Looks like the smart guys at PC World have fixed it.
But it won't last long...

 

This article is still very interesting and full with common sense...

Don't get me wrong, PC World's guys are proving to be smart and proactive (see above).
Maybe this means that they watch this forum or, more likely, that they can read their logs better than someone else who needed a report after one month of this...

But that's still #3, "Penetrate and Patch", anyway

On the other hand, they are recommending NoScript on their front page right now: there's hope for redemption

Rich, relax and click, it's nothing harmful. I hope you to enjoy it.
BTW, I swear on my honor that no link I'll post here will do any harm, just fun (when possible).
But keeping scripts disabled on message boards is basic hygiene, you're right.

 

Hello,

When I read this kind of sentence, I instantly close the article and stop reading.

Control the browser ... Really? Anyone ... Really?

Makes me wanna crucify myself, but in a gentle sort of way.

Mrk

 

Yes, really.
If you're picky, "interact with MySpace impersonating the victim", AKA "session riding".

Anyone browsing MySpace with JavaScript enabled.
RSnake would rate this "Anyone" as 99.99% accurate.

 

I personally dislike "the rich features"!

I sure hope the paranoid posters here at Wilder's understand how important brain.exe, FF AND NoScript are to their safety!

(my bolding in the RSnake quotes)

Mike

 

Like I always ask, "Was I supposed to see something bad happen? I am running FF and NoScript w/NO Whitelist."

Mike

 

I love this statement...

Mike

 

No, not really.

1. Why would you use MySpace? It's like using AOL.
2. And I do not agree with "anyone" browsing MySpace with JS enabled - although "anyone" using MySpace is using IE, in which case it is very likely.
3. Impersonating someone on MySpace - it's much like giving a false name when ordering a roast beef sandwich at Aroma cafe chain. If anyone is going to give their credit card / fall in love / donate kidney to someone called johhny87 on MySpace, well then ...

Mrk

 

You are a pretty funny guy... KEEP IT UP!

Mike

P.S. No need to reply to this post.

 

Hi Elio, it doesn,t seem to work on Opera( while it is working on FF). Why?

 

Because Opera is SLOW

The "trick" is set to be done after page finishes to load completely (including images and other objects), and your report seems to suggest Firefox finishes sooner.

This slightly modified version takes care of Opera's sluggishness

If you post one of your beautiful screenshots when you're done, that would be great

 

Slow in what? On my system Opera is significantly faster than FF.

I tried it, nothing happens at all.

 

In page loading, seemingly.

Are you sure you've got JavaScript enabled?
Maybe you're seeing cache?

This is what I get on Opera 9.21:

 

That attachment of yours is not there...
Mrk

 

Edited above, thanks... strange, I copied & pasted the code from the "Manage attachment" section, exactly as I've done now

 

It works. JS was off for PC world, I was mistaken as Site Preferences in Opera work differently than NoScript.

 

OK so there is some kind of XSS vulnerability in the pcworld.com site? And what does it do exactly?

Also, these kind of things can easily be avoided by going directly to sites were you need to enter important data (online shopping, banking.)

 

That's not the point. The vast majority of websites are vulnerable.

Whatever the attacker decides to do with your browser on the vulnerable website (or to the website appearance as you can see it in your browser), like any other XSS vulnerability. In this case, ironic instant defacing, but it could as easily be comment spam using your browser and your IP, bullet-proof credentials phishing (even automatic through auto-complete), session riding if you're already logged in, malware installation by faking the "downloads" section and so on.

Not necessarily, use some imagination. Worth readings may be this topic and this recap post.

 

Hi Elio, can policy based sandboxing of the browser prevent against XSS in any way? I think not!

 

Of course it cannot, you're right.
Sandboxing works around your browser: it controls the interaction of the browser with your local filesystem, and can be useful against malware installation.
XSS happens all inside your browser, hence sandboxing can't do anything against it.

 

Thanks elio. I guessed so.