Prevention?
In order to avoid
malicious attacks and issues related to system
vulnerabilities, HTML special characters would need to
be encoded for any data that could be considered a
threat. This would need to occur before the display of
the web information and there are several programming
languages that provide this encoding which is known as
“escaping” or “quoting”. The downside is that this
disables particular functionality for web applications
(specifically those for web mail and forums).
There are
applications that strive to encode or remove all HTML
that is potentially malicious but, due to the complex
nature of this endeavor, it is difficult to know how
thorough the process is in catching all the offences.
This is largely due to the fact that the scripts are
closely tied into the HTML syntax and considerable
interpretation would have to be provided to determine
how servers resolve or fix broken HTML.
There are web
programs that are available that enable users to disable
client-side scripting. This would prevent falling prey
to attacks related to cross-site scripting. However,
some tactics can still be applied to trick users such as
loading external content with special tags “<” “>”.
Users can also disable running scripts for particular
web sites using their web browser settings. However,
this requires knowing the sites that contain malicious
scripting mechanisms beforehand. Also, some sites do
not function properly with these restrictions in place.
Solutions
Reliance on good web
programming is a necessity. There is little a user can
do to provide protection - the burden of providing
safe, online activities typically rests on web
developers. Some of the top web companies such as
eBay, Microsoft and Google have had to address scripting
vulnerabilities. Validation of user submitted
scripts and fixing cross-site scripting vulnerabilities
are solutions needing to be addresses on the server
side.
We are still in the
early stages of scripting attacks but due to the
popularity of this kind of JavaScript functionality and,
with malware creators turning to more sophisticated and
stealthy tactics, it is likely we will see more issues
related to malicious scripting. Adhering to best
practices is highly recommended but cannot, in all
situations, provide sufficient protection from malware
attacks. There attacks can be a serious matter
with respect to loss of confidential information.
In the event that
malware is downloaded to your system, a thorough and
effective tool for detection and removal of malicious
and infected items is crucial. We recommend you
try
