Thanks Ron! XSS doesn't get nearly the attention it merits in these forums. It's always lesser threats that get discussed in depth and at length instead.
It would have been even better if he gave more clear examples of how such an attack would work. It's still not completely clear to me. And I don't think I have ever been exploited by an XSS attack in over 20 years of web browsing.
This site might offer some clearer examples and explanation. BTW, XSS is one of the reasons why browser extensions like NoScript and uBlockO are available and recommended.
How to Prevent Cross-Site Scripting (XSS) Attacks August 22, 2019 https://blog.rapid7.com/2019/08/22/how-to-prevent-cross-site-scripting-xss-attacks/
What is cross-site scripting (XSS)? September 16, 2019 https://www.itpro.co.uk/cross-site-scripting-xss/34411/what-is-cross-site-scripting-xss
It turned out that input sanitization, particularly blacklisting, doesn't work in real world, and it's more so in the HTML5 era where many more attributes have been added. The rule of thumb to prevent XSS is escaping at HTML generation, and now we have CSP. CSP can be headache for webmaster, but even report-only mode makes sense and older headers like X-XSS-Protection & X-Content-Type-Options are still available, tho many sites don't adopt them.
100% agreed. Each security measure should be prioritized by what is most likely pathway your data may be leaked. Once I learned malware protection, I moved to focus on these web threats and router security. Next I looked at online services, hardened passwords and reduced info on them, at the same time evaluated each services for their security using various methods and closed or switched some services. Now I'm trying to secure my family and colleagues. If you know none of your username, password, etc. have ever been leaked, you'll be right. If not, how can you know? Ofc when a big name like Twitter had a XSS vuln, it made news. But for less popular services nothing is sure and XSS vuln is too much prevalent among them. There's no client-side "scanner" to see if you're affected. Just pray all your services don't have such a vuln, or criminals overlook them, or they have sufficient detection system and diligently report you about data leakage. We take security measures not because we'll be affected but as a proactive measure as there's a little probability. The probability you get infected would be close to 0% except supply chain attack, but that of getting to be victim of XSS would be much higher if you don't take any measure. We once talked about Opera's what-is-now-called supply chain attack. After that I stopped using all unnecessary software including CCleaner as a proactive measure. We know what happened after that.
Thanks Yuki, I'm glad I'm not the only one So much prevention depends on the server's admin doing a thorough job on hardening their web applications to prevent XSS. Honestly I don't think about XSS that much at all, but I know it's a real and serious threat. On my end I use script control with a browser extension and browser hardening.
Yeah, I don't too but it's at least more worth considering than fearing about a highly sophisticated targetted attack. If you don't grobally allow scripts/frames for your important sites, you'll be safe from not only XSS but also Clickjacking and some CSRF. Preventing all CSRF requires hard-mode or uMatrix, but there's an alternative approach to prevent all of them: separate browser profiles so when you login to a site or purchase sth use a dedicated profile for that while keep all other browsing on another profile (or another browser). Firefox's tab sandbox is yet another way to achieve the same. Of note, forcing "SameSite=Lax" which I noted here mitigates some CSRF and many timing attacks such as Twitter-Silhouette & several TLS side-channels. If you use Firefox, changing "network.cookie.sameSite.laxByDefault" to True have the same effect. I've been browsing with them turned on, so far I've found some embedded videos don't work because of this - as those services have not added SameSite=None to their cookies.
