How do you prevent default script attacks?

dthomas

What steps should be taken to make websites secure against default script attacks?

Topic: Security
Answer this Question

Answers

3 total
StillADotcommer
Vote Up (9)

There is a good white paper about defeating script injection attacks that you might find interesting/useful, although it is a few years old now.

Christopher Nerney
Vote Up (9)

According to Hacking for Dummies, taking these steps will help prevent default script attacks: 

 

  • Know how scripts work before deploying them within a web environment.

     

  • Make sure that all default or sample scripts are removed from the web server before using them.

     

    • Don’t use publicly accessible scripts that contain hard-coded confidential information. They’re a security incident in the making.

     

  • Set file permissions on sensitive areas of your site/application to prevent public access.

 

jimlynch
Vote Up (8)

Here's a background article on cross-site scripting that might be useful.

Cross-site scripting
https://en.wikipedia.org/wiki/Cross-site_scripting

"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner."

Ask a question

Join Now or Sign In to ask a question.
An Android Trojan app that sends SMS messages to premium-rate numbers has expanded globally over the past year, racking up bills for users in over 60 countries including the U.S., malware researchers from Kaspersky Lab said.
The evolving nature of cyberattacks demands a more dynamic response, according to government CIOs making an effort to implement real-time, continuous monitoring and reporting for security issues.
These tips and tools can help you keep your smartphone close, and protect your data if it strays.
Texas EquuSearch contends that FAA rules do not bar drones for 'humanitarian use'.
Revelations about U.S. secret surveillance programs have left China's Huawei Technologies exhausted on the public relations front, a top company executive said Wednesday.
Some Android apps thought to be vulnerable to the Heartbleed bug were spared because of a common coding error in the way they implemented their own native OpenSSL library.
The panic over the Heartbleed bug is proving to be a convenient distraction for hackers using standard techniques in a fresh wave of attacks targeting at least 18 U.S. universities, according to a computer security researcher.
'Triple-handshake attack' threat quashed in update for OS X Mavericks and Mountain Lion, and iOS 7.
BlackBerry today released an update to its BlackBerry Enterprise Service (BES) 10 software designed to address a "Heartbleed"-related OpenSSL vulnerability in the version of Apache Tomcat used within the BES BlackBerry Work Connect Notification Service. (A detailed breakdown of the vulnerability is available on NIST.gov.)
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

randomness