Posts Tagged ‘Browsers’
Heya. I haven’t blogged in awhile but I do want to start getting back into it.
So, we’ll start with something small.
Just remember though, cookie theft isn’t the only credentials that can be stolen with XSS or other methods. ‘Dynamic’ phishing methods that don’t rely on a third-party site are still somewhat hard to detect and should be watched out for.
The URL http://<script> contains characters that are not valid in the location they are found.
- The reason for their presence may be a mistyped URL, but the URL may also be an attempt to trick you into visiting a website which you might mistakenly think is a site you trust.
This is the first time I’ve seen anything like this. Now while it may not in itself be a security feature, it could certainly go in that direction. If it also dealt with encoded chevrons (< as %3C) then it could be a large jump forward in the fight against XSS, specifically reflected vectors.
I have posted on a few various Web Browser community boards
with hopes to get attention to this suggestion. I doubt it will be implemented soon.
But with XSS being the top risk lately, it’s slightly comforting to know we might have
at least some defense.
I’ll update my non-existant readers on the status of the message board threads.