Latest News
What is Cross-site Scripting (XSS)
Browsing opens you up to a whole new world of data and opportunities. However, visiting different websites comes with unseen risks. Your browser has...
Things you should know about information security
Information security can be defined as the state of being protected from unauthorized use of information or data, or the measures that are taken...
Blog Post
What is Cross-site Scripting (XSS)
Browsing opens you up to a whole new world of data and opportunities. However, visiting different websites comes with unseen risks. Your browser has no way of telling whether script in the site is trustworthy. As a result, many people become victims of malicious scripts through cross-site scripting. Therefore Cross-site scripting refers to the injection of malware into your trusted website. Hackers cannot approach you directly; hence they depend on the vulnerabilities of the sites you visit to deliver the malware.
The Same Origin Policy
Usually, browsers are protected by the same origin policy which ensures scripts from different website origins do not interact. But since the browsers cannot recognize attacker-controlled markups, it executes received text regardless of the source. The attacker is thus able to inject the malware into the browser of a web user. It also allows the hacker to steal your session cookies thus impersonating you. From this, they can deface a website, phish for your credentials, cause social networking havocs, carry out social engineering techniques allowing more attacks and spread outs.Types XSS
XSS delivery takes various language forms such as Java, HTML, flash, and Ajax. Their executions are, however, divided into three major groups.Stored XSS
As the name suggests, injected scripts become permanent on the visited web. This attack is the most dangerous cross-site scripting. When the user visits a website, the attacker gains access to their data. The unaware user will browse through the site and their details become available to the attacker. Stored XSS doesn’t require the user to click on any links, accessing the compromised site is sufficient. Stored XSS is quite challenging to execute, but their damages run deeper.Reflected
In this case, malicious content from the visited site ends up reflecting on one’s browser. It comes in the form of a link, and it requires the user to click on the link to execute the code. Once you visit the unsecured site, the attacker can deliver their payload script to your browser HTTP request. Whiles persistent XSS requires just a visit to the website; reflected XSS has to carry the malware payload to each victim. This attack is the most common, but people are becoming more aware and avoid clicking on pop up links and other social engineering methods used to lure them.DOM-Based
DOM-based scripting attaches the payload to the document object model unlike stored and reflected XSS that attach the codes to the HTML. It is a threat to over 50 percent of the sites for one simple reason. The traditional server-side filters cannot detect DOMs. Hash was adopted by JavaScript developers to keep track of malware in Ajax pages. The codes appearing after the hash do not get sent to the server, and thus the servers side protection filters cannot work for DOM-based XSS.Preventing XSS
There are two primary method methods fighting XSS attacks. The first is the use of side filters. For instance, if one of your clients submits a form, you must run it through an external filter. Some of the filters employed by developers are PHP and ASP. They track and remove dangerous keywords such asThings you should know about information security
Information security can be defined as the state of being protected from unauthorized use of information or data, or the measures that are taken to prevent such breaches. Information security is extremely vital in today’s world and the technological landscape. So much of what happens requires intense data crunching and processing so this data is of a highly sensitive nature and has to be protected. Now with the widespread implementation of IoT, the amount of data will increase exponentially. So how do we protect that data? Here are some things you need to know about information security so you can take steps to keep your data safe.
• The Attack Surface Increase
Most experts agree that in the coming years, with the increase of more and more devices being connected together, there is a lesser pin-pointing where an attack will come from. It is thought that just finding such attacks will be difficult and finding the malicious actors responsible for them will be even more so.
• Threat Diversity Increase
As technology progresses at an astonishing pace, attackers will devise new strategies to manipulate vulnerabilities. This problem is exasperated since there are more devices connected to networks, most of which do not have the security needed to counteract as such attacks. Improvement of technology will lead to more sophisticated attacks as well which makes it harder to fend off such attacks.
• Threat Sophistication Increase
As stated previously, the increase of technology equates to more complex attack strategies that are stealthy and can avoid systems that are made to detect attacks. Cybersecurity systems that are made on the point-in-time defences and techniques will quickly become obsolete.
• Urgent Remediation Needed
The complex attacks require complex and urgent solutions in order to keep the data or system safe. It is highly impractical for an organization to shut down crucial systems, if infected, because the cost of shutting down may be greater than the infection itself. Therefore, better remedies need to be implemented that can quickly detect, clean and bring back operations to a normal working condition.
• Compliance and Regulation Increase
There will be heavier restrictions and regulations on organizations forcing them to have tighter and more efficient systems in place for security and privacy. Failure to do so can have serious impacts on the company’s reputation and value. Further, the more connected we get, the more the line of ownership will get blurred. This leads to some new challenges in terms of creating and maintaining regulation requirements.
What we desperately need are systems that threat-centric that is pervasive like IoT and the threats themselves. It should be able to cover a wide range of attack vectors and be able to handle attacks head-on from before, during and after the attacks. This kind of model will be able to protect systems, networks, and data to have a safer and more connected environment for everyone.
Most experts agree that in the coming years, with the increase of more and more devices being connected together, there is a lesser pin-pointing where an attack will come from. It is thought that just finding such attacks will be difficult and finding the malicious actors responsible for them will be even more so.
• Threat Diversity Increase
As technology progresses at an astonishing pace, attackers will devise new strategies to manipulate vulnerabilities. This problem is exasperated since there are more devices connected to networks, most of which do not have the security needed to counteract as such attacks. Improvement of technology will lead to more sophisticated attacks as well which makes it harder to fend off such attacks.
• Threat Sophistication Increase
As stated previously, the increase of technology equates to more complex attack strategies that are stealthy and can avoid systems that are made to detect attacks. Cybersecurity systems that are made on the point-in-time defences and techniques will quickly become obsolete.
• Urgent Remediation Needed
The complex attacks require complex and urgent solutions in order to keep the data or system safe. It is highly impractical for an organization to shut down crucial systems, if infected, because the cost of shutting down may be greater than the infection itself. Therefore, better remedies need to be implemented that can quickly detect, clean and bring back operations to a normal working condition.
• Compliance and Regulation Increase
There will be heavier restrictions and regulations on organizations forcing them to have tighter and more efficient systems in place for security and privacy. Failure to do so can have serious impacts on the company’s reputation and value. Further, the more connected we get, the more the line of ownership will get blurred. This leads to some new challenges in terms of creating and maintaining regulation requirements.
What we desperately need are systems that threat-centric that is pervasive like IoT and the threats themselves. It should be able to cover a wide range of attack vectors and be able to handle attacks head-on from before, during and after the attacks. This kind of model will be able to protect systems, networks, and data to have a safer and more connected environment for everyone.