Protect Against XSS Attacks

XSS (or cross-site scripting) attacks have been around for years, but they've been in vogue lately as more people administer websites. I myself was tricked into one that caused me a tremendous headache for a week. One can easily become over-confident and sloppy by doing most of what needs to be done to protect against this type of attack. The little bit left undone is what kills you.

The good news is that my problems have been fixed. It could have been a lot worse. It will be necessary to take precautions because I don't want to go through this again for a while. Let me share some of the things that I have done. (UPDATE: Since this post almost a year ago, the armor against XSS-attacks described below has totally protected me and my sites. So it works!)

These types of attacks can be especially pernicious if you are a website or network administrator as they can expose your passwords/cookies to admin accounts. If you are an admin, it behooves you to not get lulled into a false sense of security. Take every precaution, including:

• For the love of God, get Firefox, Opera, Safari, or Konqueror. Using Internet Explorer is just asking for trouble, and even without the security issues, it provides a sub-par browsing experience.
• Don't run JavaScript. Get the NoScript extension for Firefox so that you can allow JS for trusted domains (like your own) and block it for everybody else. (I had been doing this.) (Either the NoScript extension or just disallow completely -- in Firefox Edit--> Preferences --> Content uncheck "Allow Java" and "Allow JavaScript"
• Don't run Flash (which is basically JS) -- even from places like YouTube, which is full of malicious files -- unless you are absolutely sure that it can be trusted. (Use NoScript for this.)
• Turn off Java.
• Don't visit any sites that you do not recognize -- period -- and check the url carefully when you get a link. forbs.com is not the same as forbes.com.
• (For the truly paranoid) Browse text-only (Edit --> Preferences --> Content uncheck "Load Images" in Firefox). A skillful cracker can still get code to execute by cloaking it as a .jpg -- not common or easy, but possible.
• Create a STRONG master password for your browser. (Edit --> Preferences --> Passwords), change your existing passwords, and clear your private data upon exit (Creating a master password will give you that option by default.)

I can't stress the last item enough. If you do get tricked, a master password plus regularly flushed private data can give you a fighting chance. At the very least, your passwords will be locked up, at least the ones that are changed after the master password goes into effect. Your master password will not protect against attacks against sites that you are already logged into upon hitting the evil XSS site. That's why it's important to clear everything regularly. You can still store passwords, which is nice because you can use multiple passwords for different sites, but really only need to remember your STRONG master password. Clearing cookies and authenticated sessions upon shutting down Firefox will log you out safely and decrease your chances of giving up the goods.

If you do all that, you should be pretty safe.