Technology Review
A software layer protects against cross-site scripting attacks.
As user-generated content has become more popular online, websites have increasingly allowed users to customize, for example, their blog comments or posts to social-networking sites with HTML code. However, this also opens websites up to the risk of a type of attack known as cross-site scripting, which can allow attackers to steal information from users via a trusted site.
Next week, at the IEEE Symposium on Security and Privacy, in Oakland, CA, researchers from the University of Illinois at Chicago will present a new way to defend against cross-site scripting. The approach lets a website control how user-generated content is transmitted to a Web browser, potentially neutralizing cross-site scripting attacks before they can reach the intended victim.
Cross-site scripting involves getting a user's browser to run an unauthorized script injected somewhere on the pages of an apparently trustworthy website. The script might let an attacker steal a user's log-in credentials or other sensitive information.
"Cross-site scripting is the most prevalent vulnerability on the Internet," says Jeremiah Grossman, founder and chief technology officer for White Hat Security, who was not involved in the research. "It's kind of a cockroach out there in the industry." Grossman says that newer websites are better equipped to defend against cross-site scripting, but there are still millions of vulnerable sites on the Internet. "We need alternatives to fixing the code," he says.
The University of Illinois researchers developed a layer of software--called Blueprint--that Web developers can insert between user-generated pages and the browser. The researchers designed Blueprint to work with eight major browsers, which make up more than 96 percent of current market share, and tested the system against 94 types of cross-site scripting attacks taken from an Internet repository called the XSS Cheat Sheet. They found that it successfully prevented every attack on the list.
Researchers reveal how attackers may be able to peer into users' computers over the Web.
The head of Google's Web-spam-fighting team warns that spammers are increasingly attacking websites.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
This document is part of the “How-To Guide for Most Common Measurements” centralized resource portal. This tutorial provides a detailed guide for measurement and device considerations to take temperature measurements using thermocouples. Get an introduction to thermocouples, which are inexpensive sensing devices widely used with PC-based data acquisition systems. Also review some specific thermocouple examples and learn how thermocouples work and ways to integrate them into a data acquisition measurement system.
View full PDF >
Listen to story > 
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
Guest (craigleech)
Scripts?
Who allows scripts to run, anymore? I use Mozilla Firefox, and have the NoScript add-on installed. I don't allow any scripts, except those from the original site and rare exceptions for media. Learn how to use these tools to their full effect, and you'll never have to worry about "cross-scripting" ever again. Why didn't this article cover this information, too?
Reply
Guest (craigleech)
Re: Scripts?
For this site to operate with full video support, I only had to allow [technologyreview.com] with full forever access, and [brightcove.com] with full temporary access (for video).
I blocked [googlesyndication.com, google-analytics.com, quantserve.com, and doubleclick.net].
I agree that advertising is necessary and keeps the Internet free to access, but until there is some "privacy" regulation imposed upon these advertisers (by Law and by the hosting site), I will not allow them to run by script.
Reply