How do you prevent default script attacks?

dthomas

What steps should be taken to make websites secure against default script attacks?

Topic: Security
Answer this Question

Answers

3 total
StillADotcommer
Vote Up (9)

There is a good white paper about defeating script injection attacks that you might find interesting/useful, although it is a few years old now.

Christopher Nerney
Vote Up (9)

According to Hacking for Dummies, taking these steps will help prevent default script attacks: 

 

  • Know how scripts work before deploying them within a web environment.

     

  • Make sure that all default or sample scripts are removed from the web server before using them.

     

    • Don’t use publicly accessible scripts that contain hard-coded confidential information. They’re a security incident in the making.

     

  • Set file permissions on sensitive areas of your site/application to prevent public access.

 

jimlynch
Vote Up (8)

Here's a background article on cross-site scripting that might be useful.

Cross-site scripting
https://en.wikipedia.org/wiki/Cross-site_scripting

"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner."

Ask a question

Join Now or Sign In to ask a question.
A new webmail service called Lavaboom promises to provide easy-to-use email encryption without ever learning its users' private encryption keys or message contents.
Oracle has issued a comprehensive list of its software that may or may not be affected by the OpenSSL (secure sockets layer) vulnerability known as Heartbleed, while warning that no fixes are yet available for some likely affected products.
It took just four days for German researchers to trick the Samsung Galaxy S5's fingerprint scanner into accepting a mold of a fingerprint instead of a real finger.
Telecom operator Telefónica has launched the first mobile ad-exchange platform to use the operator's customer demographics and real-time location data to serve targeted mobile ads, the company said on Wednesday.
International conflicts such as the current tensions over Ukraine could stand in the way of global cooperation on cybersecurity, according to the founder of Kaspersky Lab.
In the race to protect themselves from the Heartbleed vulnerability, enterprises could be opening themselves up to new attacks if they aren't careful.
Wireless carriers in the U.S., handset makers and the industry's lobbying group have made a significant concession on technology that could remotely disable stolen smartphones and tablets.
Google has issued a patch for an attack that could lead an Android user to a phishing site, according to security vendor FireEye.
VMware started patching its products against the critical Heartbleed flaw that puts encrypted communications at risk, and plans to have updates ready for all affected products by Saturday.
The source code of TrueCrypt, a popular disk encryption tool, is not the most polished work of programming, but it has no critical flaws or intentional backdoors, security testers concluded in a report released Monday.
randomness