(Page 2 of 2)
Blueprint sits on a website's servers, reads user-generated HTML, and checks it against a white list of trusted code. It removes any potentially harmful scripts and decides how the content should appear in a browser. Then it reformats the information and transmits it to the browser. Blueprint makes sure, for example, to avoid characters and symbols that are sometimes used to send unauthorized scripting signals to a user's browser. Nonharmful content should make it through the process unaffected, the researchers say.
The root of the problem, explains V. N. Venkatakrishnan, an assistant professor of computer science who was involved in the project, is that browsers were originally designed to be forgiving of badly written Web-page code. "Browsers try to do the best possible rendering of any type of poorly formatted content," he says.
Over the years, different browsers have developed their own ways of interpreting poorly formatted content. Attackers can take advantage of this by inserting HTML that will run as a script in the right browser. "This makes the problem of filtering HTML content for scripts very, very challenging," Venkatakrishnan says. Efforts are under way to change the way browsers work, but the researchers say that another solution is needed in the meantime.
"What we want to do is to take away the ability for the browser's parser to make any script-identification decisions on the untrusted content that is supplied by the Web application," Venkatakrishnan says.
Robert Hansen, CEO and founder of the Internet security company SecTheory, which maintains the XSS Cheat Sheet, says that, although Blueprint protects against most major cross-site scripting threats, it doesn't cover all possible threats. "There are other ways to get stuff rendered inside a browser, and unfortunately, this doesn't cover any of those," he says.
Hansen adds that the researchers' system protects content by wrapping it in a script that search engines can't read. "This isn't a panacea," he says, "but that's the big issue." Hansen says that cross-site scripting is too complex a problem to be stopped without changing how the browser works.
Researchers reveal how attackers may be able to peer into users' computers over the Web.
The head of Google's Web-spam-fighting team warns that spammers are increasingly attacking websites.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
This document is part of the “How-To Guide for Most Common Measurements” centralized resource portal. This tutorial provides a detailed guide for measurement and device considerations to take temperature measurements using thermocouples. Get an introduction to thermocouples, which are inexpensive sensing devices widely used with PC-based data acquisition systems. Also review some specific thermocouple examples and learn how thermocouples work and ways to integrate them into a data acquisition measurement system.
View full PDF >
Listen to story > 
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
Guest (craigleech)
Scripts?
Who allows scripts to run, anymore? I use Mozilla Firefox, and have the NoScript add-on installed. I don't allow any scripts, except those from the original site and rare exceptions for media. Learn how to use these tools to their full effect, and you'll never have to worry about "cross-scripting" ever again. Why didn't this article cover this information, too?
Reply
Guest (craigleech)
Re: Scripts?
For this site to operate with full video support, I only had to allow [technologyreview.com] with full forever access, and [brightcove.com] with full temporary access (for video).
I blocked [googlesyndication.com, google-analytics.com, quantserve.com, and doubleclick.net].
I agree that advertising is necessary and keeps the Internet free to access, but until there is some "privacy" regulation imposed upon these advertisers (by Law and by the hosting site), I will not allow them to run by script.
Reply