Web browser XSS add-on security options

Microsoft Internet Explorer, Mozilla Firefox and Google Chrome (the three most popular) provide the capability to control browser plugins and protect users from malicious XSS and IFrame attacks. Google Chrome offers NotScript; Mozilla Firefox – NoScript and Microsoft Internet Explorer – uses an integrated XSS filter – but the major drawback here is it uses a black list. So what happens to those sites that are not in the black list and which are delivering XSS and malicious IFrame code? Maybe Redmond can answer this one.

Now let us briefly focus on the rather useful Mozilla Firefox add-on called ‘NoScript’. It provides added browser protection by allowing you to control whether JavaScript, Java, Microsoft Silverlight, Adobe Flash and other browser plugins are displayed. These plugins are one of the primary attack vectors at the time of writing.

Cross site scripting (XSS) as mentioned above is a vulnerability which allows a hacker to inject malicious code from one website into another. Another attack vector is clickjacking, which allows a HTML element to be inserted inside another HTML document – this if often referred to as an IFrame attack. These types of attack methods are growing in popularity with malware writers i.e. the IFrame attack using a worm script on Orkut. XSS/IFrame exploits are difficult to identify, unless you know what you are looking for, so you can see the value of controlling what scripts are presented to your browser. NoScript provides a high level of security from these attack vectors, however the user will still need to make informed decisions on what plugins to allow.

NoScript also offers a useful whitelisting function, which is another important tool to allow users to add websites that they feel are safe. This function provides the option to allow execution of all scripts from websites that users visit. This is fine for technical people but for ‘average joe’, it might prove just too daunting.

In summary,these script blocking add-ons are not easy to use but with a little patience and time you will realize their importance (and of course it adds an extra layer of security) to your web browsing experience. Why not take a look at the add-ons for Google Chrome and Mozilla Firefox for yourself right now. These are external links (please note the Google link is safe even though it contains an unusual string).

Download and install:
Google Chrome: https://chrome.google.com/extensions/detail/odjhifogjcknibkahlpidmdajjpkkcfn
Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/722/

Safe surfing folks!

This entry was posted in browser and tagged , , , , , . Bookmark the permalink.

2 Responses to Web browser XSS add-on security options

  1. Thanks for such a comprehensive blog entry. One of my sites has been hacked several times leading me to be paranoid about security. I will add this to my arsenal of defence!

  2. Julian says:

    Geek.com a news technology website has been hit today (16th May 2011) by a rogue iFrame attack. Several webpages have been infected with drive-by downloaders. The iFrames are hidden from view and sit behind the webpage, so users will not have noticed that they are being redirected to malicious websites. XSS is a very real threat and if you value your web browsing privacy I suggest you consider using a script blocking program.

Leave a Reply

Your email address will not be published. Required fields are marked *