Why Are JavaScript Attacks So Dangerous?

Why Are JavaScript Attacks So Dangerous?.

-- Tom

 

I wonder if ScriptSafe really does something. I know that NoScript is powerful, but Chrome users only have ScriptSafe and ScriptBlock, in which ScriptSafe works better for me.

 

Chrome has an Anti-XSS Filter built-in as well.

 

Well yes, but, what about ScriptSafe itself? How much the contribution it gives to protect its users from javascript exploits?

Eh, I answer my own question. The various HOSTS files must have a purpose and from what I can tell, ScriptSafe does its job just fine, javascript filtering. If we allowed javascript in a hijacked webpage, then there's still Chrome's sandbox.

 

The video was about the less common but more dangerous persistent xss. Here's an excellent video fully demonstrating it where the fictional victim's cookie is stolen to access his bank account:

-http://www.youtube.com/watch?v=foTEOsJuR4c

..notice how the script executes "silently" (around the 9:25 mark) when the victim simply navigates to his message inbox.

 

@wat0114

Is there a way to mitigate it? I assume that if we whitelisted the bank's website, the malicious script would be allowed to execute as well.

 

Scripting control in the browser is probably the best way, especially Firefox' NoScript. Also I think most browsers have some sort of XSS control built in, with varying degrees of effectiveness. Fortunately non-persistent xss is the most common, which normally involves social engineering to pull off, convincing the target victim to click on a malicious link in an email or webpage, so of course never access sites through email or similar links, instead access them directly.

As for the persistent type (less common, more dangerous), one has to hope the website administrator has taken all the proper steps to escape user editable field values on the server.

BTW, the banking attack example was a pretty extreme case, because no bank worth their salt will use http and message boards, but it does illustrate how easily xss can be pulled off if, as the individual in the first video states, even one oversight is made in properly escaping javascript coding on the website.