How do you prevent default script attacks?

dthomas

What steps should be taken to make websites secure against default script attacks?

Topic: Security
Answer this Question

Answers

3 total
Christopher Nerney
Vote Up (12)

According to Hacking for Dummies, taking these steps will help prevent default script attacks: 

 

  • Know how scripts work before deploying them within a web environment.

     

  • Make sure that all default or sample scripts are removed from the web server before using them.

     

    • Don’t use publicly accessible scripts that contain hard-coded confidential information. They’re a security incident in the making.

     

  • Set file permissions on sensitive areas of your site/application to prevent public access.

 

StillADotcommer
Vote Up (11)

There is a good white paper about defeating script injection attacks that you might find interesting/useful, although it is a few years old now.

jimlynch
Vote Up (9)

Here's a background article on cross-site scripting that might be useful.

Cross-site scripting
https://en.wikipedia.org/wiki/Cross-site_scripting

"Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner."

Ask a question

Join Now or Sign In to ask a question.
Google, Dropbox and the Open Technology Fund are supporting a new organization focused on making open-source security and privacy tools more user-friendly.
Among six major U.S. cities, CSOs are paid the most in San Francisco and New York, but factoring in the cost of living makes Denver and Chicago the best bang-for-the-buck places.
Apple's iOS 8 addresses a serious weakness that could allow attackers to hijack the wireless network authentication of Apple devices and gain access to enterprise networks.
Legislation introduced in the U.S. Senate on Thursday aims to place limits on access by U.S. law enforcement agencies to emails and other communications stored abroad.
Two online advertising networks, Google's DoubleClick and Zedo, have been delivering malicious advertisements that could install malware on a person's computer, according to the security vendor Malwarebytes.
Google is turning on data encryption by default in the next version of Android, a step that mirrors broad moves in the technology industry to ensure better data security.
CloudFlare said it has engineered a novel way to handle sensitive encryption keys that allows organizations such as financial institutions to still use its caching service to fend off cyberattacks.
Samsung on Thursday announced price reductions and updates for its Knox security and management software for IT shops and a free My Knox service that is directly available to professionals using ActiveSync.
The breach of Home Depot's payment systems may have compromised 56 million payment cards as a result of malware that has since been eliminated, the company said Thursday.
Apple outlined its new privacy policy and set up a site to explain what information it collects from users and how it handles it, as the company enters new areas like health tracking and mobile payments that have potential privacy implications.
randomness