The Paranoid Lady’s Guide to Web Attacks, or Why You’ll Love NoScript

Ah, Javascript. Such amazing effects! Web 2.0 really would not be quite as engaging without it. However, as much as Javascript improves the user experience (when it works) and enables fun effects – it also gives great power to those who wish to exploit users for their own gain. Popups and ads, for example, rely heavily on Javascript, and so do attacks which download and install programs on your computer, as well as those “Click this link to learn the secret to a great life OMG!!!!” messages followed by “Sorry! Got hacked!” on Facebook.

Popup windows and ads have been with us for a long, long time. Thanks to browser extensions like AdBlock and the browsers’ own anti-popup functionality, this is not something we need to worry about most of the time.

What’s more worrying are the following malicious behaviors:

Cloaking: This is mostly an annoyance to researchers trying to identify the spammy/scammy sites on the web. Cloaking is a Javascript trick that looks at various information your browser gives away – e.g. did you come to this site by chance, or did you click a link from a search engine result? – and then serves a different version of the webpage depending on those factors. This is, for example, why you might be redirected to a mobile version of Persephone Magazine when you use your cellphone rather than a desktop browser or why you can’t watch Hulu videos from a cellphone without shelling out for Hulu+. The site using cloaking might decide to give you advertisements and redirect you to sites selling pharmaceutical products of a dubious nature if you come from search engine results, but it might serve you a 404 page if you come from a university IP address.

Drive-by downloads: These sorts of downloads seem to happen out of nowhere. You’re visiting a page, and all of a sudden you’ve downloaded some executable program you didn’t mean to. Sometimes, you don’t even know that you’re authorizing it because they use CSS and Javascript in combination to layer the “OK” button on top of something like “Close Window” for an annoying popup. Either way, you’ve got something you didn’t mean to download. It could be named anything, so you may be tricked into clicking on it and executing it if, a couple days later, you look in your downloads directory and mistake it something else.

XSS: XSS stands for Cross Site Scripting. XSS attacks often exploit the same-origin policy, which would prevent Javascript from from being able to manipulate elements of However, if uses code from as part of an ad, it looks as if all the code originates from and so the malicious code can now have access to the elements of

Remember the Samy worm on Myspace? That was all Javascript. It happened because anyone viewing an already compromised page on a trusted site (in this case, Myspace) would execute that Javascript and in turn become compromised. XSS is an exploit that executes arbitrary code on unprotected websites. What’s not safe? Any field that allows user input without sanitization – i.e. comment forms. Do you allow users to post images? Yes? Are you sure they’re limiting their ‘img’ tags to urls that point only to images? There’s nothing preventing them from linking to a Javascript or executable on a remote server unless you sanitize the input. If you don’t sanitize input, the script could perform something like stealing the user’s cookies. If the user ever saves passwords for websites, those are more than likely contained in cookies. That means the attacker now possesses the virtual token used for authentication. Luckily, the default policy of many websites is to expire cookies after a period of time, but any period time the attacker has to a user’s credentials is too much time already.

CSRF: CSRF stands for Cross Site Request Forgery. CSRF does require the attacker to know its victim sites very well, and rely on the fact that the victim is in an authenticated session. It exploits the assumption that the browser accessing a particular website can be trusted.

This means, often with help from XSS, if you visit the wrong link or happen to load a page that contains an ad with bad scripts, the attacker owns your credentials for as long as you’re logged in. If, for example, you’re logged into Facebook, and you visit a site which contains a CSRF attack, then that site can run code that takes advantage of your existing session with Facebook to forge requests that paste something in your profile. That something may be a message with, “Oh hey! Check out this awesome video I just found!” linking to that scammy website, which in turn compromises your friends’ accounts. Worse, it may try to change your password and email address to steal your credentials. Facebook no doubt has measures now in place to prevent such instances, but more often than not, security is implemented as a countermeasure after the fact rather than a preventative policy. (As for the past? Well, just do a search for CSRF or XSS attacks and your favorite websites to see the depressing history.)

So, what can you do? First – always choose to disable 3rd party cookies or Javascript for sites in the preferences section of your browser. You always have the option of manually approving a whitelist of sites that can run Javascript even without any extensions on just about any browser, but that terribly annoying and inconvenient. If there’s one thing I’ve learned, it’s that even paranoid users of the web sometimes opt for convenience. So, the next best thing for users of Firefox or Chrome is NoScript on Firefox or NotScript on Chrome. Sorry, users of IE or Safari – as far as I know, options are limited on those browsers. To some degree, AdBlock on all browsers can block some of the problems mentioned above. I do, however, consciously disable AdBlock on sites I want to support, such as or

Tired of those embedded flash videos ads that suddenly boom with terrifying voices promising you free iPods? Disable Javascript to the rescue! Both NotScript and NoScript are simple. They identify sources of Javascript. For example, needs you to run Javascript so that it can play videos. However, (which should appear as a 3rd party site) does not necessarily need the same permissions to run Javascript so that it may track your clicks and movements on the site. Unfortunately, sometimes it’s a bit of trial and error until you enable the right combination of domains before the page behaves the way you want. However, both should give you the option of giving temporary permissions, so that once you’re away from the page, you can right click and choose to “Revoke Temporary Permissions.”

Another option, if you have a machine that meets minimum requirements, is to use a virtual machine in place of your browser. VMWare Player is a free software that lets you run another operation system within your current setup. Linux is a free and popular option, and the vmware site should have plenty of free images for you to use. The virtual machine is a sandboxed environment so that even if you visit a virus-ridden site, only the virtual image is corrupted. The rest of your machine is safe. There is some inconvenience in this, as you must run the virtual machine to boot up a second operating system. However, the advantage is that if that virtual machine is corrupted, you can simply delete it, roll back, or re-image it so that it’s clean and untainted without disrupting the rest of your system. I’ve used a virtual machine to browse sites when I know it’s likely to be a dangerous site – e.g. when I’m examining the links in a phishing email.

What I personally do, because I tend to err on the lazy side, is to rely on multiple browsers and profiles. If you do this, all your sessions across multiple websites are (hopefully) sandboxed from each other. Firefox is magical for this, though I do use Chrome just as much. I have a Firefox profile which has only and’s Javascript enabled and I only use those sites there, so I feel safe in saving cookies on that particular profile. Then I have one browser in which I manually manage the cookies and Javascript permissions for sites and use that for personal email, banking, shopping – anything I truly value. Finally, I have a 3rd profile setup so that I enable Javascript and cookies for session only on which I use untrusted sites. On all these, I always delete my history and cookies and saved sessions when I exit. I would much rather type in a password for the second, third, fourth… umpteenth time than risk being a victim.

One reply on “The Paranoid Lady’s Guide to Web Attacks, or Why You’ll Love NoScript”

Leave a Reply