Log In / Register

Search FAQ
* Search
What is a Cross Site Scripting attack? and how does 3rdKey block it?3rdKey.com prevents Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks by ensuring that malicious sites cannot access or manipulate your data. The platform secures cookies to prevent unauthorized access and avoids embedding third-party scripts. For added security, 3rdKey generates a unique token for each page, ensuring that all requests are legitimate. This proactive approach prevents password data theft or unauthorized transactions.

In short, Cross-Site Scripting (XSS) is the idea of using a script from one server to read or manipulate something on another server.

A web site, TLC.org.za (a worthy orphanage in South Africa), wants to be better known, so it puts a chatter.com like button on its pages.

Dave, a true philanthropist, makes a donation using moneyFriend.com, then clicks the the chatter like button to let his friends know about this worthy cause.

chatter.com runs a script which has Dave "like" and "follow" TLC.org.za, and then tells all of Dave's chatter friends about it.

Good for Dave, good for TLC.org.za, good for chatter.com, everybody's happy

As long as chatter.com is highly moral and ethical and is never hacked. (Have any companies like chatter.com ever been breached? Here's a list of breaches at facebook and here's a list of breaches at twitter

When the chatter.com script runs it can access the cookies and web storage used by TLC.org.za

So if chatter.com is not highly moral and ethical, or if its been hacked, then it can "steal" Dave's moneyFriend.com connection.

But if chatter.com was recently hacked by scumBag.net, and a "virus" script was added to the like function, when Dave clicked "like", his moneyFriend.com details were sent to scumBag.net, and scumBag.net has just sent $1000 of Dave's hard-earned cash to a bank account in Mauritius

The above scenario is purely fictitious, although things like that happen many times every day.

TLC.org.za, is a real orphanage in South Africa, that does wonderful things every day, with very little money

But how does a site like 3rdKey.com prevent this kind of thing from happening?

Any site that understands this problem, including 3rdKey.com, configures their cookies so they can not be accessed by different sites

But additionally, we do not trust any other site, we will not put any script from any other site on any of our pages, ever. that is why you do not find the "like" button on our pages.