There is a javascript worm spreading on facebook. The worm tricks users into executing javascript by copying and pasting the payload into the address bar. This is not xss, this is social engineering. If you read the worm's source code you'll see that its riding on the session and forging requests like the Sammy worm. What are some way that a web application can prevent this type of attack?
If we're talking about a malicious user script manipulating the DOM (like this one seems to be doing):
You could ensure all the native JS code is hidden away from the global scope (through closures) and then hijack the document
property of window
. There can be ways a worm can circumvent this, but it will surely make things harder.
This is not something I've actually attempted and have proven to work, but the basic idea is:
(function () {
// Initialize page
// When we're done, make document inaccessible
window.document = null;
})();
The pretense is, all native code that's executed during page initialization (including jQuery code etc.) should be bound to the actual document
object through closure. It should not be possible for "javascript:" code in the address bar to access the actual document by executing in the global scope.
Again, I might be missing something blatantly flawed with this idea, and I'm ready to embrace all the downvotes. Maybe there are additional steps that need to be taken to completely hide away document
.
Education is the best and only way.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With