Notice: Undefined variable: str_faq_type in /homepages/13/d691329969/htdocs/3rdkey/routines.php(547) : eval()'d code on line 76
3rdKey Password Protection

Log In / Register
What is a Cross Site Scripting attack? and how does 3rdKey block it?

In short, Cross-Site Scripting (XSS) is the idea of using a script from one server to read or manipulate something on another server.

A web site, (a worthy orphanage in South Africa), wants to be better known, so it puts a like button on its pages.

Dave, a true philanthropist, makes a donation using, then clicks the the chatter like button to let his friends know about this worthy cause. runs a script which has Dave "like" and "follow", and then tells all of Dave's chatter friends about it.

Good for Dave, good for, good for, everybody's happy

As long as is highly moral and ethical and is never hacked. (Have any companies like ever been breached? Here's a list of breaches at facebook and here's a list of breaches at twitter

When the script runs it can access the cookies and web storage used by

So if is not highly moral and ethical, or if its been hacked, then it can "steal" Dave's connection.

But if was recently hacked by, and a "virus" script was added to the like function, when Dave clicked "like", his details were sent to, and has just sent $1000 of Dave's hard-earned cash to a bank account in Mauritius

The above scenario is purely fictitious, although things like that happen many times every day., is a real orphanage in South Africa, that does wonderful things every day, with very little money

But how does a site like prevent this kind of thing from happening?

Any site that understands this problem, including, configures their cookies so they can not be accessed by different sites

But additionally, we do not trust any other site, we will not put any script from any other site on any of our pages, ever. that is why you do not find the "like" button on our pages.

[ FAQs]

Explain Cross-Site Request Forgery (CSRF), and how prevents it.

This can be confused with Cross-Site Scripting, the effect is about the same, but the method is quite different.

In XSS the virus site has stolen Dave's log in by reading's cookies, in CSRF "guesses" that Dave is logged in to, and sends it instructions.

Home Log In Register FAQ Challenge Phishing Privacy Policy 3rdKey Cookies Advertising Cookies ©copyright 1997-2023