3. Insecure websites – XSS and CSRF attacks/malware
It’s quite a hard to say which website is vulnerable and which is not. Or if you want, you can consider every website as vulnerable, because vulnerabilities such as XSS can be everywhere. All dynamic content can be the source of the various security issues. But don’t be scared, just think reasonably and if you visiting just well known websites you should be fine.
Anyway, if any website is vulnerable against XSS attacks, it’s easy to upload malware/exploit on the webpage, where it can hide for a long time. If an exploit sits in the website with low traffic, there’s a chance that it can persist there longer than on website with a huge amount of users. Users can protect themselves against these types of threats by updating their antivirus software and disable executing scripts in browser (if you are using Firefox, you can download NoScript extension). Very important is to update web browser immediately after the new release is out, mostly if it patching security holes. However there’s still no ultimate security and 100% protection. For example if an attacker can upload just a small script on the website, he can sniff users cookies (including administrator ones).
NoScript’s homepage
Although XSS and CSRF attacks could be considered as not so dangerous for common users which there don’t have their accounts (e-mail service, internet banking, subscribed services), you should be aware. An attacker can with just a simple CSRF attack steal users web application accounts and all just by visiting the crafted link.
One click on the URL address like in the picture could cause hacker to get control over your computer
The real XSS and CSRF power can be demonstrated by customizing the website. If an attacker wants to confuse the visitors, he can write his own text message on some news portal. It’s an easy, fast and effective attack.
Useful information:
http://en.wikipedia.org/wiki/Cross-site_scripting
http://www.cgisecurity.com/xss-faq.html
http://ha.ckers.org/xss.html
http://en.wikipedia.org/wiki/Cross-site_request_forgery
http://www.cgisecurity.com/csrf-faq.html
4. Insecure ActiveX controls
However ActiveX controls aren’t so popular in IT security articles, we must to say that many programmers making literally DANGEROUS ActiveX controls. Vulnerabilities in ActiveX controls can be sort into two categories: exploitation the ActiveX “features” and the second is buffer overflow issues. Maybe you think vulnerable ActiveX controls are only rare, but that’s not a true. They are everywhere and there’s quite a chance you have some on your own computer.
Internet Explorer supports detailed settings for the ActiveX controls
That’s because there are many applications installing insecure ActiveX. Simply can say: “more installed applications in computer means a higher chance your computer is vulnerable by this type of vulnerability.” Hackers usually take chance of comfortably exploiting the ActiveX “feature” in order to hack web surfers computers rather than by analyzing buffer overflow vulnerabilities.
Useful information:
http://en.wikipedia.org/wiki/ActiveX
http://msdn.microsoft.com/en-us/library/bb250471(VS.85).aspx
Top 10 threats on the web 1 of 5
Top 10 threats on the web 2 of 5
Top 10 threats on the web 3 of 5
Top 10 threats on the web 4 of 5
Top 10 threats on the web 5 of 5