Technology Review - Published By MIT

Technology Review in English | en Español | auf Deutsch | in Italiano | 中文 | in India

click here...

A Blueprint to Stop Browser Attacks

A software layer protects against cross-site scripting attacks.

Thursday, May 14, 2009

E-mail

Audio »

Print

Favorite

Share »

As user-generated content has become more popular online, websites have increasingly allowed users to customize, for example, their blog comments or posts to social-networking sites with HTML code. However, this also opens websites up to the risk of a type of attack known as cross-site scripting, which can allow attackers to steal information from users via a trusted site.

Credit: Technology Review

Next week, at the IEEE Symposium on Security and Privacy, in Oakland, CA, researchers from the University of Illinois at Chicago will present a new way to defend against cross-site scripting. The approach lets a website control how user-generated content is transmitted to a Web browser, potentially neutralizing cross-site scripting attacks before they can reach the intended victim.

Cross-site scripting involves getting a user's browser to run an unauthorized script injected somewhere on the pages of an apparently trustworthy website. The script might let an attacker steal a user's log-in credentials or other sensitive information.

Story continues below

click here...

"Cross-site scripting is the most prevalent vulnerability on the Internet," says Jeremiah Grossman, founder and chief technology officer for White Hat Security, who was not involved in the research. "It's kind of a cockroach out there in the industry." Grossman says that newer websites are better equipped to defend against cross-site scripting, but there are still millions of vulnerable sites on the Internet. "We need alternatives to fixing the code," he says.

The University of Illinois researchers developed a layer of software--called Blueprint--that Web developers can insert between user-generated pages and the browser. The researchers designed Blueprint to work with eight major browsers, which make up more than 96 percent of current market share, and tested the system against 94 types of cross-site scripting attacks taken from an Internet repository called the XSS Cheat Sheet. They found that it successfully prevented every attack on the list.

Tags

browsers cross-site scripting web application security web applications

Related Articles

»

A Browser's View of Your Computer
08/07/2009
»

Search Spammers Hacking More Websites
07/30/2009
»

Firefox Aims to Unplug Scripting Attacks
06/29/2009

Comments

Scripts?

Who allows scripts to run, anymore? I use Mozilla Firefox, and have the NoScript add-on installed. I don't allow any scripts, except those from the original site and rare exceptions for media. Learn how to use these tools to their full effect, and you'll never have to worry about "cross-scripting" ever again. Why didn't this article cover this information, too?

Rate this comment:

craigleech
05/14/2009
Posts:2

Avg Rating:

Re: Scripts?

For this site to operate with full video support, I only had to allow [technologyreview.com] with full forever access, and [brightcove.com] with full temporary access (for video).

I blocked [googlesyndication.com, google-analytics.com, quantserve.com, and doubleclick.net].

I agree that advertising is necessary and keeps the Internet free to access, but until there is some "privacy" regulation imposed upon these advertisers (by Law and by the hosting site), I will not allow them to run by script.

Rate this comment:

craigleech
05/14/2009
Posts:2

Avg Rating:

Computing

How Secure Is Cloud Computing? » Get the newsletter »

Web

Google Gives a First Look at the Chrome OS » Get the newsletter »

Communications

Computers Can't Answer Everything » Get the newsletter »

Energy

A 25-Year Battery » Get the newsletter »

Materials

Biodegradable Transistors » Get the newsletter »

Biomedicine

Mimicking the Building Prowess of Nature » Get the newsletter »

Business

Thin-Film Solar with High Efficiency » Get the newsletter »

Today's Stories

Sign Up now for the Technology Review Daily Newsletter » Follow Technology Review on Twitter »

Log In

Forgot your password? Register »

click here...

Videos

Now Playing:
Making 3D Maps on the Move
[Full Story] [Larger Video]

Latest Videos

Making 3D Maps on the Move

Top Stories Of The Day

The Magazine

Subscriber Services

Technology Review November/December 2009

Current Issue

Natural Gas Changes the Energy Map: The United States has vast supplies of this cleaner fossil fuel. But how should we use it?

Featured Content

Sponsored by:

White Papers

Twelve ways to reduce costs with SQL Server 2008
Find out how to reduce costs and get more efficient

Total Economic Impact of SQL Server 2008 Upgrade
Forrester reports on increasing productivity and management capabilities

Achieving Cost and Resource Savings with UC
How Office Communications Server R2 and Exchange Server can make your business smarter and more efficient

The Compelling Case for Conferencing
Read how you can improve workload support and find IT efficiencies

How Windows Server 2008 R2 Helps Optimize IT and Save you Money
Read how you can improve workload support and find IT efficiencies

Windows Server 2008 R2 Hyper-V Live Migration
See how Windows Server 2008 R2 and Hyper-V enable virtualization and Live Migration

RSS Feeds

	TR Top Stories
	TR Editors' Blog

	TR Video Blog
	TR Video

click here...

Subscribe to Technology Review's daily e-mail update. Enter your e-mail address

click here...

Massachusetts Institute of Technology

© 2009 Technology Review. All Rights Reserved.