XSS web attacks could live forever, Google employee warns

From http://www.computerworld.com/s/article/9220511/XSS_web_attacks_could_live_forever_researcher_warns:

 

Solution =

1 - Don't use HTML5 local storage

2 - Close your browser often

3 - Use NoScript

How many will though ?

 

Not me, for sure.

Good article.

 

Rootkits in your Web application

 

Don't forget "re-creating a browser profile", to get away from the infection.

 

Also apps like Returnil and Shadow Defender would help. Just reboot and everything is gone.

 

What if you run OSX or Linux, what value are they then?

 

Returnil and Shadow Defender are nice for removing an infection but if you just have your browser hijacked you're still being tracked for the session.

 

How can a user determine if XSS Subversion has hooked into the browser?
Behavior: The displayed content has changed from the traditional content you are used to.
Advertising will not be the same because the attacker is pushing their content instead of the traditional content you were previously used to. Adblockers will conceal this alteration from your vision.
Search results may not be the same as an uninfected browser.

How can a user determine when and where they become infected by this method?
View page source?

In my experience, Firefox design allows for this attack to remain persistently unless the user is aware of how to undo the XSS subversion.
Chrome, due to a design difference from Firefox, only requires clearing all data from within the tools (from the beginning of time) and closing the browser and restarting.

 

The most effective way to fix XSS is for developers to write better web applications without those vulnerabilities in the first place. I'd also like to win the lottery, not sure which will happen first.

 

I'd say that prevention is much easier than mitigation. Like others said, block scripts and the XSS can't run.