What is a Cross Site Scripting attack? and how does 3rdKey block it?
In short, Cross-Site Scripting (XSS) is the idea of using a script from one server to read or manipulate something on another server.
A web site, TLC.org.za (a worthy orphanage in South Africa),
wants to be better known, so it puts a chatter.com like button on its pages.
Dave, a true philanthropist, makes a donation using moneyFriend.com,
then clicks the the chatter like button to let his friends know about this worthy cause.
chatter.com runs a script which has Dave "like" and "follow" TLC.org.za,
and then tells all of Dave's chatter friends about it.
Good for Dave, good for TLC.org.za, good for chatter.com, everybody's happy
As long as chatter.com is highly moral
and ethical and is never hacked.
(Have any companies like chatter.com ever been breached ?
Here's a list of breaches at facebook
and here's a list of breaches at twitter
When the chatter.com script runs it can access the cookies and web storage used by TLC.org.za
So if chatter.com is not highly moral and ethical, or if its been hacked, then it can "steal" Dave's moneyFriend.com connection.
But if chatter.com was recently hacked by scumBag.net, and a "virus" script was added to the like function, when Dave clicked "like", his moneyFriend.com details were sent to scumBag.net,
and scumBag.net has just sent $1000 of Dave's hard-earned cash to a bank account in Mauritius
The above scenario is purely fictitious, although things like that happen many times every day.
TLC.org.za , is a real orphanage in South Africa, that does wonderful things every day, with very little money
But how does a site like 3rdKey.com prevent this kind of thing from happening?
Any site that understands this problem, including 3rdKey.com, configures their cookies so they can not be accessed by different sites
But additionally, we do not trust any other site, we will not put any script from any other site on any of our pages, ever.
that is why you do not find the "like" button on our pages.
[ FAQs ]
Explain Cross-Site Request Forgery (CSRF), and how 3rdKey.com prevents it.
This can be confused with Cross-Site Scripting , the effect is about the same, but the method is quite different.
In XSS the scumBag.net virus site has stolen Dave's log in by reading goodSite.com's cookies,
in CSRF scumBag.net "guesses" that Dave is logged in to goodSite.com, and sends it instructions.
scumBag.net sends out spam email to everyone in the UK, that looks like its from LastCityBank.com
The email is advertising a discount at SendFowersToYourMum.net for LastCityBank.com customers
Dave clicks on the link to SendFlowersToYourMum.net because its his mum's birthday, and it sounds like a great deal
On arriving at SendFlowersToYourMum.net, none of the links seem to work, so Dave goes away and finds another florist
But it turns out that SendFlowersToYourMum.net, as a part of the scumBag.net network,
sent a request to LastCityBank.com to transfer £1000 to a bank acount in Mauritius
If Dave was not logged in at the time, no harm done, but if he was, well he might have just been relieved of £1000
What can be done to stop this?
We can not speak for LastCityBank.com, but most real banks have blocked this, often by asking you to verify the transfer
3rdKey.com creates a special "token" for every web page, and any request must have that "token" in order for us to process it.
So scumbBag.net can never "fake" a request at 3rdKey.com